diff options
Diffstat (limited to 'testing/hosts')
147 files changed, 9483 insertions, 0 deletions
diff --git a/testing/hosts/alice/etc/conf.d/hostname b/testing/hosts/alice/etc/conf.d/hostname new file mode 100644 index 000000000..2012e0451 --- /dev/null +++ b/testing/hosts/alice/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=alice diff --git a/testing/hosts/alice/etc/conf.d/net b/testing/hosts/alice/etc/conf.d/net new file mode 100644 index 000000000..3070a46b1 --- /dev/null +++ b/testing/hosts/alice/etc/conf.d/net @@ -0,0 +1,11 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_ALICE broadcast 10.1.255.255 netmask 255.255.0.0" + +# For setting the default gateway +# +gateway="eth0/PH_IP1_MOON" + diff --git a/testing/hosts/alice/etc/init.d/iptables b/testing/hosts/alice/etc/init.d/iptables new file mode 100755 index 000000000..1097ac5a4 --- /dev/null +++ b/testing/hosts/alice/etc/init.d/iptables @@ -0,0 +1,74 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow NAT-T + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/alice/etc/init.d/net.eth0 b/testing/hosts/alice/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/alice/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/alice/etc/ipsec.conf b/testing/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..d6cdbba7b --- /dev/null +++ b/testing/hosts/alice/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem b/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem new file mode 100644 index 000000000..e99ae8ec7 --- /dev/null +++ b/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer +GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4 +FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W +6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH +v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc +KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG +A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa +60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG +A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0 +cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu +Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn +L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo +2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ +AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5 +D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S +CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi +6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re +JGhV +-----END CERTIFICATE----- diff --git a/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem b/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem new file mode 100644 index 000000000..045ef0405 --- /dev/null +++ b/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEArsXK+QTXz+i6MJpN3wZcE04f4K+jLSJsnyPaw2wGt6sZLWWD +FGzzNpV8r1+ixp27RRl5Ygew4qR7Dnjr2w++QorZIYYf6m77H7E7++5oQbgWWQC7 +yIYVYtDJwu3oEl9yrDsVPyvA24PXxdcFeY/uFFq+L9MQSVtVgds7uWbxPlbqFOv+ +xh12JIHtf39trskHLqXGYFxQDHluOKIctpb+WV5+SrKFzp3Dme89nYNyG8e/8da8 +sX1uy/FsGQdTT/P8ISxG4wEjsQ8QvivHdSqa4JQCqIwlNLcisNoiV8k4tZwqVuyc +TqEenCa32gMH2JYFj1Z5lRIC0kYXDhvsUJm9DQIDAQABAoIBAEsjnnARNPeeBu5+ +aJxKD6v9Gpdu66ir9Cc3MwZxmzG7zcdGrWRKswX0nvaHF2Rsy+aZXSZYSCQosv81 +3bEAw7u4FkHjeDVCIZUujatyhEA89N6vAgzkGK2zNgsoXW4IuzRw8mGGXhQCSvIz +z5bD2ofFu560D3x6V/jMWJENQQqbfWuD27OI+bZp92K2DGM6MoSbdNnd886F2oWR +4pQfrwoxmSm7JFFARoe4t6pZPy4G+5jjnrhB3kblxONaV297nvSby9Ctfke7oOkM +A3JpzNzEmrjjb2M8GKkYmbm6P+0ARdYIToD0sFpbRCdjJAKLadwNNnk2kijxPvQh +HNHGy8ECgYEA2uD922oiNaIvBR+rJ/zRsJg7Dth+upGePiieOZdS0S/dZUFEXuK7 +PdLZOcelQP2fIFRdODLEpkkOii292Ej3zixgzu9QYSfCdhcOoeV+RiAC7XEBBMqc +gFI1DdL91KGSmMNZ+B8yocA31pwQQsVFDUpvgqpA8fxsZkRI9oVSiOsCgYEAzGna +At/Kk9AQfiM7fpjBygYUt1ZErHsPJhLPVXmqx7+FuB2+RQvTMBS4sRdG6yC4Kd1y +CNIo83Yzv2IQGyNOCcGr60OPeqzTSQ6AUn7VxMY5EJZ880nfXBud7mj+CbyFi48V +Sh2qziF18aUYm7z4eJCTpLlFjPzHcoU1ORM0U+cCgYEAzCWp4Kp/OdMJVBgThXpz +AekavGAE43LKS2OLIGAZqG6iaryTToTe62zrms6xPYrQjlDhmXcQn5/oZc0AEukL +6ErQCHKBX/y7jXU3+pyYSEO3N0t9DcEEc1M5lKlEgrwohT8/fQNsMB2edxacvApO +u3S/yPmPFaTAXio2e2gicP0CgYEAp3PjM02PDu14RUypdTjAL7YxjErwcPdSXpc0 +H8pOm9mKOlyrPLbGJ3IiJnhyETW5iBovS4iWIXNoStSTaxfN2vI72rt6sz0WzJdD +idD7X3oezzboXwjaIANDqkV6LhGwuLXa898/yCLjErRzZ0kzptiRCnT3w9pjrK3w +/rN7v2sCgYAEwfgrwjb7+JUaSSaf6TlbM9/ZuTRBVN0OTQz2JVhokeAePeFjHzXt +nzJI2ETYlIu6e1VaFzHb6dp84PzWfLV7Kk8hZqJeCQN4RmQ04oNBllWoOZPbN7oa +8pAMk/DCsBxcM/GvnDQJlDVLQRyY64zJU8EI0rF1t+zosIyGtXom/A== +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/alice/etc/ipsec.secrets b/testing/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..5837fc7d7 --- /dev/null +++ b/testing/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,9 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA aliceKey.pem + + + + + + diff --git a/testing/hosts/alice/etc/runlevels/default/net.eth0 b/testing/hosts/alice/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/alice/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/bob/etc/conf.d/hostname b/testing/hosts/bob/etc/conf.d/hostname new file mode 100644 index 000000000..bbf5a2ea6 --- /dev/null +++ b/testing/hosts/bob/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=bob diff --git a/testing/hosts/bob/etc/conf.d/net b/testing/hosts/bob/etc/conf.d/net new file mode 100644 index 000000000..09133acad --- /dev/null +++ b/testing/hosts/bob/etc/conf.d/net @@ -0,0 +1,10 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_BOB broadcast 10.2.255.255 netmask 255.255.0.0" + +# For setting the default gateway +# +gateway="eth0/PH_IP1_SUN" diff --git a/testing/hosts/bob/etc/init.d/iptables b/testing/hosts/bob/etc/init.d/iptables new file mode 100755 index 000000000..7b8756b81 --- /dev/null +++ b/testing/hosts/bob/etc/init.d/iptables @@ -0,0 +1,74 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow IKE + iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + + # allow NAT-T + iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/bob/etc/init.d/net.eth0 b/testing/hosts/bob/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/bob/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/bob/etc/ipsec.conf b/testing/hosts/bob/etc/ipsec.conf new file mode 100755 index 000000000..cdef4e042 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=bobCert.pem + leftid=bob@strongswan.org + leftfirewall=yes + right=%any + rightsubnetwithin=10.1.0.0/16 + auto=add diff --git a/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem b/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem new file mode 100644 index 000000000..199d3eee2 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHjCCAwagAwIBAgIBBjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjUzNFoXDTA5MDkwOTExMjUzNFowWDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDAJaejS3/lJfQHgw0nzvotgSQS8ey/6tvbx7s5RsWY +27x9K5xd44aPrvP2Qpyq34IXRY6uPlIqeUTQN7EKpLrWCxMOT36x5N0Co9J5UWRB +fJC141D+8+1RwJ9/baEIecpCvb0GfDOX0GXN5ltcJk82hZjE4y1yHC1FN7V3zdRg +xmloupPuon+X3bTmyMQ93NKkg48CQGtqtfwQ0MqPiOWu8MBhdztfOyu6aW3EgviF +ithLc02SeNzlpqB3M8GDfX+mr3OVDhhhC2OI+VRlZzz7KxJ13DUR2KkvLZR8Ak4E +5lRjkUnTYd/f3OQYxfjC8idUmj5ojR6Fb0x1tsV/glzXAgMBAAGjggEEMIIBADAJ +BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUaLN5EPOkOkVU3J1Ud0sl ++27OOHswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ +BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz +dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u +b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv +c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIyQLLxdeO8clplzRW9z +TRR3J0zSedvi2XlIZ/XCsv0ZVfoBLLWcDp3QrxNiVZXvXXtzjPsDs+DAveZF9LGq +0tIw1uT3JorbgNNrmWvxBvJoQTtSw4LQBuV7vF27jrposx3Hi5qtUXUDS6wVnDUI +5iORqsrddnoDuMN+Jt7oRcvKfYSNwTV+m0ZAHdB5a/ARWO5UILOrxEA/N72NcDYN +NdAd+bLaB38SbkSbh1xj/AGnrHxdJBF4h4mx4btc9gtBSh+dwBHOsn4TheqJ6bbw +7FlXBowQDCJIswKNhWfnIepQlM1KEzmq5YX43uZO2b7amRaIKqy2vNE7+UNFYBpE +Mto= +-----END CERTIFICATE----- diff --git a/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem b/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem new file mode 100644 index 000000000..42af98bb0 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAwCWno0t/5SX0B4MNJ876LYEkEvHsv+rb28e7OUbFmNu8fSuc +XeOGj67z9kKcqt+CF0WOrj5SKnlE0DexCqS61gsTDk9+seTdAqPSeVFkQXyQteNQ +/vPtUcCff22hCHnKQr29Bnwzl9BlzeZbXCZPNoWYxOMtchwtRTe1d83UYMZpaLqT +7qJ/l9205sjEPdzSpIOPAkBrarX8ENDKj4jlrvDAYXc7XzsrumltxIL4hYrYS3NN +knjc5aagdzPBg31/pq9zlQ4YYQtjiPlUZWc8+ysSddw1EdipLy2UfAJOBOZUY5FJ +02Hf39zkGMX4wvInVJo+aI0ehW9MdbbFf4Jc1wIDAQABAoIBAGbSP5jUiAYZfzKd +4GZTDfFXz/QLXcN9bFV51ihaRNb9jyn0MmLTpGgzGP3Iu4l8vWKyqB154AI2jqpV +gvnNGOX9Wx8nTwbnD5WgELs24M1iWRXcJLWp1m8PAsrv4WJlueRpIEPeJsWwkSnT +gUQYg/8LEqsZXnJXvanym7sWe/Wkh8i/UyMQJv7zwS+TZ5qeKRfSVo8/9622Ppsh +n+zKFKnTUhiICUHFed4qZWyVR6NVyuzIYjeQy+VmBa5AOzmF549Izg6llwNrvJ8g +DiIKSdtblMrN5OlmTra8LGn2QmlETipRb+4qx+MasbVI8pM1VMMQtBGAJYjhpC51 +rX/RLLECgYEA/Qk9PlUfw2aTA7I6a93pcjhUFTnKFVe9RdrwY7mds5t7dOAPcRBj +5wnIv+OhVszoEo/uOPrgWmBu3ifkmcpPTe4NREFEVA99NOadiJDI/7oAj/Is4c5t +CEb/zHTqKtYMVDrjwhszuPD3m2KNIJ38y4gkkrWT071xQBciztWhvYUCgYEAwmXV +DFoNagTrNhf7Ep5sUek0O3nXPXY/cYKnKhlloUP41ftLbNvZ02qBQ6zqxPHtjGlB +5sPeRQMFbVbmyb+97oa3Mrui1TPiTa5IBPyD36Gg0nFx+xLeXTsy8O8leoFcq02D +1SDSye+fEdj2uYr+f33CIknQHUR4/xkOikgSQasCgYEAzTjOHBzsGw25VLkbmtqr +eIDo6SIqnS7BCsPsTeWAWuhSs9L5kyjI7dxIniEffIfJ/SwQ+NO4XHRz1ugiBv1H +Xpwg1Gfe5BJ/6QTVZaqP6qBPzm+LKUTDt3/l/Uwhk8Zwz2vHx2lKhMei+rpuXbLl +EaoEh5yPHZ87F9Dr4Tbw7AUCgYAjtFpmE2AlWdPtsofdypUwkjmStvUuh7ptWcbk +N5fv/7EDdE1NKDAg4Y3uZSMVmy27PVXqUY1QdZaYl356DaqP1dRuEAJ/UDE/fUQj +DlIWT/Re0pFRwQxwaUAY+oOStZHUsL8G9SliB43a1FO0jm/h8LIoZBBCX+ItUGfY +RBZ+UwKBgCToB2oPwDfrfCkScNozV7GPfcmHTR5bvvpYgRMGyuE1hAwLIWW9V4u9 +1Bp1vCR/C4kiUSBpYsGXLRqJ1GURueQoEbREE4ZvkmNV+t40uX3Fd8/OchAGi934 +0jYmd3dvN4MtF7O02YwpBzuH/wAwdxK0iDbdv+KEZb7TLdL37IN1 +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/bob/etc/ipsec.secrets b/testing/hosts/bob/etc/ipsec.secrets new file mode 100644 index 000000000..b3a0af048 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.secrets @@ -0,0 +1,8 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA bobKey.pem + + + + + diff --git a/testing/hosts/bob/etc/runlevels/default/net.eth0 b/testing/hosts/bob/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/bob/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/carol/etc/conf.d/hostname b/testing/hosts/carol/etc/conf.d/hostname new file mode 100644 index 000000000..d5101b924 --- /dev/null +++ b/testing/hosts/carol/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=carol diff --git a/testing/hosts/carol/etc/conf.d/net b/testing/hosts/carol/etc/conf.d/net new file mode 100644 index 000000000..39470ad14 --- /dev/null +++ b/testing/hosts/carol/etc/conf.d/net @@ -0,0 +1,10 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_CAROL broadcast 192.168.0.255 netmask 255.255.255.0" + +# For setting the default gateway +# +gateway="eth0/192.168.0.254" diff --git a/testing/hosts/carol/etc/init.d/iptables b/testing/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..cd7ba23ff --- /dev/null +++ b/testing/hosts/carol/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/carol/etc/init.d/net.eth0 b/testing/hosts/carol/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/carol/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/carol/etc/ipsec.conf b/testing/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3228f4e16 --- /dev/null +++ b/testing/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..8492fbd45 --- /dev/null +++ b/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX +T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl +vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii +S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW +LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM +YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD +j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI +U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM +2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE +HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd +hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG +C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK +omBYfxqp +-----END CERTIFICATE----- diff --git a/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..0522355ce --- /dev/null +++ b/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAuBuEkgQI4IbI0njTrS6f/AG4noxCO2ErkIAQ+BdP+W9nKehL +GF+5bmB4MILFB6zp1k95vrAlLgXl8feomgsz5nifXetmUITLIwGRwWW8rRo0Vj4B +GzSbtqtRfwHs9+L03pYdNiA7hel4EcsmtlDP0BTRXdLStx79ZW5WOKJL9wmGuBKL +uuXztCjWNg4D0/ToFlAuPR0U1xZasakqn+Fe8EXU5I/1vXmOyAyUIJYsmpeYtUoO +0qAM8sllHX2YguGBwe9rHEPtytov0ZHhCZYtvSbzigAgjBrD7SelkkxgMwx5h461 +x6kJYKZHL5eaypxa7iu00K7TlbVGxeNhkQoGNwIDAQABAoIBAQCnhwq8H4XAYYWN +17quJPYZR6uqQfDmvYX5yD8osXXpgNC8Fo92z2wZnxje86+8S0DA7bLXrMs4NM/H +vVcjTTxd5LcHrHN+o0eBRCVQeXYVgfnL3EH/coCa2Qugaa0q589wV+Ke5Pek5AyJ +DHXegmyHaNoW6Qcq8L0dtigpAq3jTLG5w/3QCo8DMDKOGNR3AJrFpDlS/gW3JXuL +Tn+PUojoWO9W6joDGYDTi4eeYyfZSajzwZvzecEpez3vwKN0pupvHA6BJCR8Mzkq +5EYIH0hvWLtBy8uiWRXTfu/ggoQI9/Z5hBWIQk71m23uMIBbkm+oDn/1fLSBcWfK +cr9RyM+RAoGBANpWewy7xCbkRV/90bgBNkTZ9HeFsFsWOgFVyB1XwM2E/nOqdRJc +rxFt5Qt63DaXB+2REn231EIrsIz/Xd+R9KDl+yZOCY/m/mL4oquTPurEGJPzZdgW +X3kUOFW1pbfcMcmzSp1FPufI17JPiePtUb/q3C4RAjCKlnskHftEyK1pAoGBANfd +eEN8UzoV/R3WsGNDNOecMdIVAX9aiGnkLLraP7CRZ1heCH5y+RV1RB98yppkJG31 +fw5F8a6GoomkMHWGqhzDzQacZQV8w7C6rDY0Bk5TF5vemvJTGlrydwodfMvcJj8Y +KZrS7A0iS3GAAmM6VGr3THyscszfJTq0NwE3v4KfAoGAY7L1wVzENxYpb6nRZ/p1 +s37rGODdJNrDZfSrympVygMexeZiSx4zevv5iQJzKCJTJnIGRY35yLV2iwvY68wU +LpyV0Gn2B9Xs93idn0c/hahBqN2N9dxRgFJxXwHxSEGuInJScfo6vVCC3hNf3cpy +d/Zg0FBH9a5zBIv7fM9t63ECgYAosrSt5I68cNDcA1IWJOGgmS47cYJqxGLbtA1K +3UMMwx08592qGXsktIs3dIuuOBs2MAbYZg9+3Btg3/fS8KS576CEEpBpTHCIrWky +fvSBZ+EXngyQi2J4qyYOXijdNpBvbNrLOeEPSNv4di39D05DLITbLJgoUBnwy3Fj +ZWNR+QKBgEKn19f5QWs/O1DPWBXfvCSc01cuSUx20a6Z3B6Lxj+7MuXBjVxPkGge +kEaZnNzwgm+QQ1C51nIn9gY4LZx7OxMy0idEss76aRq4Lb7I6XakBrCQLQ9IiTkv +gNOeJYGsQv7tkIWWRlBIXjSBGwT6HzTEfN5cvdHSDzARGFGjwYfK +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/carol/etc/ipsec.secrets b/testing/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..797f18a01 --- /dev/null +++ b/testing/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem + + + + diff --git a/testing/hosts/carol/etc/runlevels/default/net.eth0 b/testing/hosts/carol/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/carol/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/dave/etc/conf.d/hostname b/testing/hosts/dave/etc/conf.d/hostname new file mode 100644 index 000000000..c3fabf331 --- /dev/null +++ b/testing/hosts/dave/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=dave diff --git a/testing/hosts/dave/etc/conf.d/net b/testing/hosts/dave/etc/conf.d/net new file mode 100644 index 000000000..db3753fb0 --- /dev/null +++ b/testing/hosts/dave/etc/conf.d/net @@ -0,0 +1,10 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_DAVE broadcast 192.168.0.255 netmask 255.255.255.0" + +# For setting the default gateway +# +gateway="eth0/192.168.0.254" diff --git a/testing/hosts/dave/etc/init.d/iptables b/testing/hosts/dave/etc/init.d/iptables new file mode 100755 index 000000000..cd7ba23ff --- /dev/null +++ b/testing/hosts/dave/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/dave/etc/init.d/net.eth0 b/testing/hosts/dave/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/dave/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/dave/etc/ipsec.conf b/testing/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..76623491c --- /dev/null +++ b/testing/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..abd1554e5 --- /dev/null +++ b/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291 +bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx +2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2 +LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE +RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF +UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/ +98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB +ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq ++Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy +8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9 +Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR +P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV +UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt +0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT +5qILUTmI +-----END CERTIFICATE----- diff --git a/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..1cbaa183f --- /dev/null +++ b/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxmwplGOop4q+9f+kVnm3oHC1E5g0sUaqUTjQ8diEVBLhEuRC +nO6rI0c+OV6Ko4ssAkEY2Ft931BBGOq+35x5O9AslJ1nmcq+7+A/9i4wTd7JgxOv +2Wa88T8fsaYZVIoGDhf77eIFIltXTmea3J8Rvfnja0i+oFjTYNYrhEX5Uk25h1ek +1ZhlNjxnXShmel36ln3QPuojotvqMqsOmh+LuIX14ScjEThDoS3QBVL81PVIsxF0 +qrJhDkqHUvb8qVSUWE22XMe9HvUO4NjIIR77UGOplYAcwMGpAwQrf/fJQJSg3l1z +kKj3KgGUnNlYxvIBJpK9XbpvMLCcPAtpYihkRQIDAQABAoIBAQCQP7nKotjNVFSX +Sg4Sv9H61XUOlaxY5GKVQZTE/P7WkBMIROEYbXoE35og4tYvJtILoX+KapkLa7Cn +iKDSt1J7ZU/DitryNy6v/HsDYXjEY55jqEBC8CmTyKwl3fa0OtNEE7OWsKXC4FyM +J02x7gJb9fqa1/udXnXtBEYGl0g1x/vDmuhLgKyq6eliTm/orAyjGK2KfRxu06eS +YUZObr25wC7yDLHCBsWHGNVC7ZyxQoxcPOu9WNwlWYu92ZJMdf3+rIgZSeXxCn3U +3CWAC9tL1HnKC/twbyWEc2Gy0lZaQSgTJzaRtKOlqBTc5Szb4l1ibmyeAA7NanXK +wnUYfiZRAoGBAOWW0+4lzZhWOxK/cYwM5+eoI66MhPECFVK2sL8iC34BKGFRCrSd +YS/nugWiAu30knIBrw8z9BN0gYEfiE/EZyP5TbjtabKDN28xQa1+bw9Sr+5g5TcR +HFvZRkJWSYGoIuVO22eXUh+1hwx3KZP/UX6pwkrc2dxQLxNk0mo/BexPAoGBAN0/ +geik9GNIjbKwSPLvIIwcmO4TZja2RJy9NCTJOrJZFpCII6HvOiO0eYx3+So+KblG +n4AUxrhi4jq1/mAA+VUt4B9ywKH8xzGwhno78dJ1lvydpuzXSTHOEgsWh9Kme05P +syt/t1C0ZkWqOKsBGk1f7dU9IOWuOkpVUbbMX10rAoGBALp0S5lUyiu1nDQVljmP +IadZPeE77ZttfbO2+sO++mZSumCOWItmZM9q+gApGwf1YBmGlI1cPBSwwZwD58gg +UUM97IkLBpQbTKHY9uXXkIp5NLf7qSuXkdhmFFE7kmbiDbT83eK7Wc62tf7Bp9qx +t5WOeGQkCCqMVC8D6n6uwDixAoGABV4jErfdzgLWnT01p98xVPTkqPIDitRFOeBF +QZc4O1d5+quy4ZziNjeMs2G9w86aSIp0GDFo2NRdVLtRnpande+U/m5UShnN42C7 +AoAtz8NWlG5mvFxExFaRjX9QcEXlu/KnECkbE3Qs/wewNEXkk3f+VywSfkAJ3f/P +6bVvot0CgYBA1B9SXYhclR3KNZJPRuTn9OQ/TqLmcCMN62dIhPW4WZo2ixZH3YdS +PE/bYmYfZUPt7MnOSNSnuLKineIf1Dipz0gjuSyFGAs5DE+N+8GWYo00n+0e3TLL +pcBj4nOdIVPTZ31IFeVbi06dCYmzLPAGDeLe1M1Z7fakNky1Wv+Sdg== +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/dave/etc/ipsec.secrets b/testing/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..3fa796491 --- /dev/null +++ b/testing/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA daveKey.pem + + + + diff --git a/testing/hosts/dave/etc/runlevels/default/net.eth0 b/testing/hosts/dave/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/dave/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts new file mode 100644 index 000000000..b8bc8da66 --- /dev/null +++ b/testing/hosts/default/etc/hosts @@ -0,0 +1,34 @@ +# /etc/hosts: This file describes a number of hostname-to-address +# mappings for the TCP/IP subsystem. It is mostly +# used at boot time, when no name servers are running. +# On small systems, this file can be used instead of a +# "named" name server. Just add the names, addresses +# and any aliases to this file... +# + +127.0.0.1 localhost + +192.168.0.254 uml0.strongswan.org uml0 +10.1.0.254 uml1.strongswan.org uml1 +10.2.0.254 uml1.strongswan.org uml2 + +PH_IP_ALICE alice.strongswan.org alice +PH_IP_VENUS venus.strongswan.org venus +PH_IP1_MOON moon1.strongswan.org moon1 +PH_IP_MOON moon.strongswan.org moon +PH_IP_CAROL carol.strongswan.org carol +PH_IP1_CAROL carol1.strongswan.org carol1 +PH_IP_WINNETOU winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org +PH_IP_DAVE dave.strongswan.org dave +PH_IP1_DAVE dave1.strongswan.org dave1 +PH_IP_SUN sun.strongswan.org sun +PH_IP1_SUN sun1.strongswan.org sun1 +PH_IP_BOB bob.strongswan.org bob + +# IPV6 versions of localhost and co +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +ff02::3 ip6-allhosts diff --git a/testing/hosts/moon/etc/conf.d/hostname b/testing/hosts/moon/etc/conf.d/hostname new file mode 100644 index 000000000..78e695337 --- /dev/null +++ b/testing/hosts/moon/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=moon diff --git a/testing/hosts/moon/etc/conf.d/net b/testing/hosts/moon/etc/conf.d/net new file mode 100644 index 000000000..7dec60ba5 --- /dev/null +++ b/testing/hosts/moon/etc/conf.d/net @@ -0,0 +1,11 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_MOON broadcast 192.168.0.255 netmask 255.255.255.0" +iface_eth1="PH_IP1_MOON broadcast 10.1.255.255 netmask 255.255.0.0" + +# For setting the default gateway +# +gateway="eth0/192.168.0.254" diff --git a/testing/hosts/moon/etc/init.d/iptables b/testing/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..7f46267c2 --- /dev/null +++ b/testing/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/moon/etc/init.d/net.eth0 b/testing/hosts/moon/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/moon/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/moon/etc/init.d/net.eth1 b/testing/hosts/moon/etc/init.d/net.eth1 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/moon/etc/init.d/net.eth1 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a0e97e057 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=192.168.0.1 + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn net-net + leftsubnet=10.1.0.0/16 + right=192.168.0.2 + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=192.168.0.2 + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem new file mode 100644 index 000000000..d8fbfa1c9 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDTCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTcyNVoXDTA5MDkwOTExMTcyNVowRjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u +c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv +ri4QmsCnG0N7bxqeUZTQhcmZ/iyN4RsmHwFsiOc06xpnZ7Fbx9gzi/OswU6KGL+F +f9PfvOY36bDTZU8V2QaL30RQUXz3JlG+jUyP9zjqlhsvVYS/cImvqgo3uUkQ0YCD +v2SafTlaQfBOaPFElNEP/H2YSiyB6X80IcHsOMYpskVqPY8785FehjF+pxuyRCK+ +9HXmd+iWdnC09u4qgKRa3L0IamU3q1/BK/afkHK2IAIN4YgM7GzepHVD0f7Exf9U +esJEeh4hDZwSjcMzdybrY9XBxzGqLGPOF128jr+5weUZiBW+RzeBw/gsK1nSPeuX +Od2lPJjTGj+6V3YK6qibAgMBAAGjggEFMIIBATAJBgNVHRMEAjAAMAsGA1UdDwQE +AwIDqDAdBgNVHQ4EFgQU5eQQh2wqxL6thUlCpt52WDA6n8EwbQYDVR0jBGYwZIAU +XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK +ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC +AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA5BgNVHR8EMjAwMC6g +LKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0G +CSqGSIb3DQEBBAUAA4IBAQAvLykhZnqldrsMcbYB36WzWKk+hOihr5dU3fv8Z4ec +tsa3gzxXSefDCxGoezVJ4QXdpdNxxFn31A+r1gxKyGI5JL6EyWz6Y462zp9lE7nW +EIC4ldJwxAXqzDEMcJphO29hApyU9TWsWDa4kL5AKtLFLwH3/Uv/jAzAy+qXIO8h +wLtB+wcmhSo8OFY9kX/cyhht7eb7yD/r2e3wVBOCRk7jePe4yWhN8NJAKwfrEd1K +iGq15ymdmeomhplHRsLZwA2VsCspUNZ/eXjG21s3nEoxcCOcQUz3Q7q4ZgBTZoCW +kAc6FQ5zxoZrmzNWFqzb06jmUVlt7baGtdjT7rEt+dcp +-----END CERTIFICATE----- diff --git a/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem new file mode 100644 index 000000000..89197a447 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAr64uEJrApxtDe28anlGU0IXJmf4sjeEbJh8BbIjnNOsaZ2ex +W8fYM4vzrMFOihi/hX/T37zmN+mw02VPFdkGi99EUFF89yZRvo1Mj/c46pYbL1WE +v3CJr6oKN7lJENGAg79kmn05WkHwTmjxRJTRD/x9mEosgel/NCHB7DjGKbJFaj2P +O/ORXoYxfqcbskQivvR15nfolnZwtPbuKoCkWty9CGplN6tfwSv2n5BytiACDeGI +DOxs3qR1Q9H+xMX/VHrCRHoeIQ2cEo3DM3cm62PVwccxqixjzhddvI6/ucHlGYgV +vkc3gcP4LCtZ0j3rlzndpTyY0xo/uld2CuqomwIDAQABAoIBAECAVQ1npCA2lFo3 +erByB49f75sIhVc6NPuUGrO8uBbn0vPwUGAASdLzKW5eMvXlDDx5qFLXSjdxJ6kV +4ymEWzDzsmNC5/zeJtkti9S30j/fCPAiF/Ep4oOKjOHUt4zjPqoglVFbdLk8yHwh +b6Pcd73E2GAXq6uvDTMYydhvJ+KaozAfbXmQ9vf3HbneI6xmgAug209Cu+gpMspW +4IunMMY/668neRmM7jh+4JNLMqJhCrmQpLkIlRux2yNFzxkF8RrqptGzaLf4KxNF +rRRUThHUfWmB/EvggzJgUMuVA2Pa0bKNvBbbQuwPqXMxLHMGBjvJ8wimsLzJZeXL +fgsyPKECgYEA5x//2cmlKL3LbprRpfSzVOPqM3OSeEqseQtPun9Gs7WNVZZVc/ZJ +O2hjdc9qDGjak3lDSwVbYl8B1kqfGTTLB1sl2171aDJQOWdNV3WQtexUKEhC4Ewn +yXEDoVGAXJtiCj34QYHjoMEHUqfabKyWKUcaK8hbMsOhYPOorfLXg9MCgYEAwpaP +W68NJGu5Zxsdz62rOiPNb58cuoxLDZsJ1sMKJO7BdPIqTZ0oGNdgt5phyc3ROBSH +cjqZdzpim1gXGm4ocGvwg3APNQN6DLBknJNZmHzPd7RLSz2UxhTHRTfHAltQPcmW +cJVBHsrsS0QnvDndXfzLuLq12S6UZasR5eBdcxkCgYEAizBuOI6DdGG4nceG8lbH +mRwY8xtq3h66d7skLMBxp9ByaVS76bYsrCZVn6Fl0EtlNuMUb52uRzPIO3F9FwUA +MFHoHpC1YibKwYdAwKcAm07T7950x/eVDm+NLB2VHDBHfruLQogiubEF4/VKSaA2 +Xm1/iVaD9bJzAZw7vWY9/BkCgYB/Xe9uErGmgkB0BaLIuiNWxfKFOn+id4v01uNk +yHtOW10TgCNCdDi3sdpjs1CIuAhXDdDuav7itLuwdMOCkFI16+EdF29Mwv7TaW4h +sq01i5R9BO03zZIg6Z7ZZr4Dg+OM3fNzs65RSn/KcE0V/kYwa/So8MVw5/VIauYn +MmnYmQKBgDEFWQPyPH242olRqtE0yDp8qVHEjJp7mU822YFbyCyAUnttqOS+/5/u +Z7H95QZHGaQESL1tcNnaiRASJAKDWjKOdM/TTotWjCn65v+DHvgk/IJeYJVHoGBS +pBE+wJ8AZJu3t9GVp3PxFxHIjxUrEKG0rli7bYv8F245+Wx8DeXI +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/moon/etc/ipsec.secrets b/testing/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..c90b4c4a3 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + + + + diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth0 b/testing/hosts/moon/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/moon/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth1 b/testing/hosts/moon/etc/runlevels/default/net.eth1 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/moon/etc/runlevels/default/net.eth1 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/ssh_host_rsa_key.pub b/testing/hosts/ssh_host_rsa_key.pub new file mode 100644 index 000000000..a5f71de4e --- /dev/null +++ b/testing/hosts/ssh_host_rsa_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAsxKfTm05po6leGD8C+M0eAR5EE4s1pQXc0D/dVlqrmfZ65h5BFQY9lnwpCvapV6OVqKWx8ICmeIH3OhaPxPPNKlU81f3d0xgh8BRJpWh459DYkRVa5f7ax5eeFE1lelj9s1d0seUl/IZolpJ8Wmt9TN1hwJ0mrkwN4670rb3urc= diff --git a/testing/hosts/sun/etc/conf.d/hostname b/testing/hosts/sun/etc/conf.d/hostname new file mode 100644 index 000000000..bc042b68b --- /dev/null +++ b/testing/hosts/sun/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=sun diff --git a/testing/hosts/sun/etc/conf.d/net b/testing/hosts/sun/etc/conf.d/net new file mode 100644 index 000000000..0f8dc57b1 --- /dev/null +++ b/testing/hosts/sun/etc/conf.d/net @@ -0,0 +1,13 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_SUN broadcast 192.168.0.255 netmask 255.255.255.0" +iface_eth1="PH_IP1_SUN broadcast 10.2.255.255 netmask 255.255.0.0" + +# For setting the default gateway +# +gateway="eth0/192.168.0.254" + + diff --git a/testing/hosts/sun/etc/init.d/iptables b/testing/hosts/sun/etc/init.d/iptables new file mode 100755 index 000000000..aeaf472fb --- /dev/null +++ b/testing/hosts/sun/etc/init.d/iptables @@ -0,0 +1,80 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + + # allow NAT-T + iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/sun/etc/init.d/net.eth0 b/testing/hosts/sun/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/sun/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/sun/etc/init.d/net.eth1 b/testing/hosts/sun/etc/init.d/net.eth1 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/sun/etc/init.d/net.eth1 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/sun/etc/ipsec.conf b/testing/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..4d0299a08 --- /dev/null +++ b/testing/hosts/sun/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + +conn net-net + leftsubnet=10.2.0.0/16 + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + +conn host-host + right=PH_IP_MOON + rightid=@moon.strongswan.org + auto=add + +conn nat-t + leftsubnet=10.2.0.0/16 + right=%any + rightsubnetwithin=10.1.0.0/16 + auto=add diff --git a/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem new file mode 100644 index 000000000..e7825e3db --- /dev/null +++ b/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8 +foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS +Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC +AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe +zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n +HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G +N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg +KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq +hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i +ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP +Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S +5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE +JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk +Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA== +-----END CERTIFICATE----- diff --git a/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem new file mode 100644 index 000000000..de63615a6 --- /dev/null +++ b/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA5Dx+gH2HkFn3aADkmRBMk26gXoUDOir3UaHtOjbv+DvinTX5 +JSexJoF8+Y18anhq91ITDLZ1YwD/u6PQNt7wwQqyw3O2nQlC5unazufyautAsayo +HpgBLT2XvlcONLfKpMIC0fWQPjMCX+P8DJ5AG4tHgLIkSYL+uoPf9r6mvjYJqWO4 +UGAFGkJNSlTiaWyVlJ7O/3C7rU/BMXFvxUOUEdR3+XCRdOEqBTe4SFZHEtqGlKV0 +QaaJNObHfST9ds4wXacc5sQe3kRj25ZEYZuPzVlFaI2TR021umd5Qe/8291Ytzn3 +UzxwQYRB1ZbZdNVsvYY3ruryF3MaAi9vtAk8xwIDAQABAoIBACOnh6OO+KSGSW4H +5a47q5rEh2z8nnpxx90KzMJxXp+Ky2X/zoINZ1E6nUlm3u7LDPrB6ZPs1P24ZDrt +5lMMFNQzVaXO59I0Zi0ojzQPbAFj6uFWtZTB7j0hCBmGBAQcSh3e6Q3frL7qvQ45 +0WAvQJiM84iZS63oNt7wRwaG1gmUn/k6j34y4qUkD5FfzGhFkekzDS54bRGwjhTA +7XBUPAcsdNoIPcihokgLXwcdA8l6LBGsk48HN7O+CYOdh4xb6oQ4msgPED3pDIMo +QRptqcPQ6y1qJaiM/D8SvdX2ZTFm/bh2jlGvcm5sWG8VdSDRqq9r0YCi4KlQzA1g +OAyrMeECgYEA9dAVEegvRrFm4V6hC9CAwyS6fiOqx/l0xd354Xv4V6vR6n6rKwDF +kv96A4sMH+mdNf6MwzFFCNW9zZV7noEIvAyPAc7jM7t/Hmt5M41DiDe0RJpWKEdQ +lEj2qd8FqcY4YVDEH/TdchwIvoWHlD2sykW7eoseCY5mYEoQN4Ciwj8CgYEA7bHv +qdaz2SoG9lyj8Mz7XthjYZLeaxKu7cpqP5bqzuRSkVFvib0WKoJfwsewzO5hCHnf +8yMD3Wp4Ap2FYoN2XfV/jQyHvlpMlkxv+bU39/HLosdhzKbOJsru9kbBCaARHAVi +av3O3JfV2/G+cwR6nPCNjcTsIcqtEpUO7kOfU3kCgYAKYNmy4tm0I2NTmpo0FH6L +Pq69CqZ4QPkELaYSNhi7It7/BpAVhbfRyAWPxrwhUMy5beDlkNv4ToXv+yK4A3yp +6+HR0rlXAtCQKTt5yLoUMz3iM531n2UwjZAUhf0IOP1CZpWRP9ZlrfdUi/C4eo4k +ECOlPeBryN5brGTY4w58IwKBgQC0ukRF2I+qoP/mNg4Yu2KtfM4jlG4072G+P9eF +PhSO9p+pCkhKbFD8RWDWUsslJmL09OXIkmkP4zIYmvieLOLFEjLHZi2YGER/SuMg +9B74EQsKW5sK5hF9AXOsIaQI04Hu0lFAlHbC11euAiMShOdNiMG4d3ArSVVK+bb+ +hsAP0QKBgHcJuTJ6dv77evW3MFZPRjFH25pike40PWmSLgCt5PV25DRL2UG0pOut +uybN9biQK5v377/3GD7eOL+acxHODjWmmfeEFW0YlJ1oUb/P8NlqsSnHvUoIqa24 +JmTXS/XzjgxQFFfzo0c1/1JLdG6r5CLTWxHq1EhIOJsowTlrCzX/ +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/sun/etc/ipsec.secrets b/testing/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..1095b74cc --- /dev/null +++ b/testing/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,8 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA sunKey.pem + + + + + diff --git a/testing/hosts/sun/etc/runlevels/default/net.eth0 b/testing/hosts/sun/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/sun/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/sun/etc/runlevels/default/net.eth1 b/testing/hosts/sun/etc/runlevels/default/net.eth1 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/sun/etc/runlevels/default/net.eth1 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/venus/etc/conf.d/hostname b/testing/hosts/venus/etc/conf.d/hostname new file mode 100644 index 000000000..c9e3dd1d4 --- /dev/null +++ b/testing/hosts/venus/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=venus diff --git a/testing/hosts/venus/etc/conf.d/net b/testing/hosts/venus/etc/conf.d/net new file mode 100644 index 000000000..2c55c2c20 --- /dev/null +++ b/testing/hosts/venus/etc/conf.d/net @@ -0,0 +1,11 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_VENUS broadcast 10.1.255.255 netmask 255.255.0.0" + +# For setting the default gateway +# +gateway="eth0/PH_IP1_MOON" + diff --git a/testing/hosts/venus/etc/init.d/iptables b/testing/hosts/venus/etc/init.d/iptables new file mode 100755 index 000000000..1097ac5a4 --- /dev/null +++ b/testing/hosts/venus/etc/init.d/iptables @@ -0,0 +1,74 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow NAT-T + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/venus/etc/init.d/net.eth0 b/testing/hosts/venus/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/venus/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/venus/etc/ipsec.conf b/testing/hosts/venus/etc/ipsec.conf new file mode 100755 index 000000000..35f264f82 --- /dev/null +++ b/testing/hosts/venus/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem b/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem new file mode 100644 index 000000000..25a6941b0 --- /dev/null +++ b/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTgyNloXDTA5MDkwOTExMTgyNlowRzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz +LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +mlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFCdhoDg6cxrsIvPAWy +Gs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3sDdvZFbyfmQTWSEyJ +thrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHOjpVNHn3BPUiL99ON +FiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iOvRGtJa/MfOWX6L/H +wquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjyGxw1lORlDQlZy2w/ +nu0BAbXS1pb/2AiF8jDpbQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E +BAMCA6gwHQYDVR0OBBYEFEqPlXBYJh1knX0Q61HMcn9LOZ6sMG0GA1UdIwRmMGSA +FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE +ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB +ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw +LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww +DQYJKoZIhvcNAQEEBQADggEBAEx3kXh2Z5CMH+tX6cJPyi6gSeOgXy7NBiNsEdXN +rwGp4DwN6uiSog4EYZJA203oqE3eaoYdBXKiOGvjW4vyigvpDr8H+MeW2HsNuMKX +PFpY4NucV0fJlzFhtkp31zTLHNESCgTqNIwGj+CbN0rxhHGE6502krnu+C12nJ7B +fdMzml1RmVp4JlZC5yfiTy0F2s/aH+8xQ2x509UoD+boNM9GR+IlWS2dDypISGid +hbM4rpiMLBj2riWD8HiuljkKQ6LemBXeZQXuIPlusl7cH/synNkHk8iiALM8xfGh +wTEmdo5Tp5sDI3cj3LVvhcsTxjiOA81her1F0itlxpEA/gA= +-----END CERTIFICATE----- diff --git a/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem b/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem new file mode 100644 index 000000000..6c4aff0ad --- /dev/null +++ b/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAmlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFC +dhoDg6cxrsIvPAWyGs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3s +DdvZFbyfmQTWSEyJthrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHO +jpVNHn3BPUiL99ONFiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iO +vRGtJa/MfOWX6L/HwquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjy +Gxw1lORlDQlZy2w/nu0BAbXS1pb/2AiF8jDpbQIDAQABAoIBAFyVMMvn9YzGmeCq +e5MD9Dt30kPyAffu/stFwc5yOTfC8OHijhBzwq/0WWXRsKx9bj+PaZjGWWIE6PVU +u6ymvDdcBj7w6pM/ZY2siZ6uzUpXiy32G+qkfTMBGW2e7T4qTGMm8tuy69jmtn+u +SxXunYaXckfOATu8GxWhoP1dvKMbCrlQxxmduP04au8HhpLTQgDZ28PrvyqUR6AW +D+PDGACLbCFzmaMLgv6yv2+GNQpBEDr/VUjOOBvzZhUm9ku81dSdYNhHx8vbT/DG +GkERG9tE2PA51sWB5cUh13ZItWmbW/NoWiykxJb7J7VkjXAn57jw4suSbNEQnA/E +bg/5WwECgYEAyqEWS7cUCLheHuyWHOxkL7ACoko4wS8QO3Q4ohPlqZb7pca7FIqU +WzXEUcyYZPkKTAKx/Vd0Xv6raGImi1QluuwLULACvZ7Ei5uLsMxUCJKyLX7wunTb +64aH8jONNMAXX4K9eVj7EghBGjdnVc4HRAzm/QyH8F6hmXGT7Ulw3JECgYEAwvpU +AkrUGb5UgVG/tNtlOlCqVGyvWOITDEsxLPCTlC6Ls6EIYKvc/21oRNL7n/ssfvS/ +DbyVTatiCXaF/MDbx0msbxJbq3sGTY16/XMb1PeTRdQm4xsUEQB1Fi3MnhLmPzV1 +jdKSKvKoxTfZKUg9eP/aVs4abRyHsIXc7BRznR0CgYBB86qBHGa969xerlyxr1Nw +nhZNYmEUp8/duhdQ0a8XwtfHfmaX6f8drONoSHJ1swVh9iKetd9fp/58bC3lfY8G +RxvruE48D7gjRI50Dh1v6OdrnXyXA8As6c3HzHWybK9u2+v12jtmBB/Ee7H7oKKG +yLhKNtDsMLDic7BVNGkysQKBgHjzr0+oucCqiGOcoc8A1uABEFjE/1WlEOnsbzoQ +l4wx/6nT+I13r+WoKimftEZ/GxA6pZZQ6VHAQlXad63eubf75QMWIVXUQIm1fZli +Yd6QIoUL4X+62YzeesPib2+UC88kS6NKADCyTa3iQk3QqYm5Nenpew06yJXhxLWS +zlGlAoGACEbPUlQB+ouInOFyVcFf1kHsMBcmg54MVi2J6x95149rq5FlY5kbmZcs +6wlSBkAzzKb7WbPNgbGLMAYP+EXKODe+f1nzP+oojmJlCdTLfrudREFA2ZGGOKDX +0o2EhnGL7VB4Upuw5ddMs7s1v6pqUKQXrZQUb24AX8w/1n+0PEM= +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/venus/etc/ipsec.secrets b/testing/hosts/venus/etc/ipsec.secrets new file mode 100644 index 000000000..11f3aa4ca --- /dev/null +++ b/testing/hosts/venus/etc/ipsec.secrets @@ -0,0 +1,8 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA venusKey.pem + + + + + diff --git a/testing/hosts/venus/etc/runlevels/default/net.eth0 b/testing/hosts/venus/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/venus/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt b/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt new file mode 100644 index 000000000..956c217d9 --- /dev/null +++ b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYwODE5MTcxNFoXDTEwMDYwNzE5MTcxNFowSjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAMTF3dpbm5l +dG91LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqXuh16Ahe3S5vZ +F56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/u7BlyqpBUtLa +r14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRBK2gQGBUULo26 +sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqVjlKyqG7vdggk +wW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3MuOP3FNHIRMd2H +AcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNV +HQ8EBAMCA6gwHQYDVR0OBBYEFEMS0mbhrA4zDvmfKf4MntUNxkH4MG0GA1UdIwRm +MGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290 +IENBggEAMCIGA1UdEQQbMBmCF3dpbm5ldG91LnN0cm9uZ3N3YW4ub3JnMDkGA1Ud +HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dh +bi5jcmwwDQYJKoZIhvcNAQEEBQADggEBACO4+j1Mwt/lbkopeSJst46uFh7OtegG +6IWNE30i3l3FIn9slSwAOMtmZR0hAF8sExvk61EPlzCR/d9trSJ5+gyjPkeF/enw +p61rxPMT13Grzomi9gYlk6Q/0zLmE9uYWEY69Q0bEIUcfdZfwB+F7kesa946JNMc +yHfVEhKtvzmns9ueG0S/8E+6MPDeJv+JHQ++SdWSvOVg6JNxXDGusnim2fjM2Aln +JmqA6iU4IaPl9DUCuXlLOVv/YhwhviNEbF94upyHq8xjOZdzPbKroHXg/2yvalAw +4aXc/ZsnFxqsq3i6a2Fj1Y4J7gYsNO/HwA0xvKz3loOTqHaJqO/qeow= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key new file mode 100644 index 000000000..727027188 --- /dev/null +++ b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqX +uh16Ahe3S5vZF56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/ +u7BlyqpBUtLar14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRB +K2gQGBUULo26sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqV +jlKyqG7vdggkwW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3Mu +OP3FNHIRMd2HAcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABAoIBACYiWrCgl8B/c4Lz +Uay4Tlm8hvQ/zQJjY3v93EXwbB21hBV8qrYlt9zGfHqj+5q2vsbB9c0pzdO2VDba +EWueS2fUIWhglEG5VCebrztNCldx2O7jo9bMk8iBt+oLNaJunSK7ACeYHHGcE7dF +KZh1eyd7z4+SMBWZqmhO5ZisasQoHCusVGepcyyMGQNkc3XKJ6resGAsOqrOoq7Q +C4vO5Kkbnk8nnEGmQ/ldD8LwIyq1hzVLDiiqWXZgh6S5l4BEo7Dy3KYrZoZfVcZK +GMVhAI2+uA1ZqY9twpwryT6VZ3eK4DXF/COQntiBW5pLOpaqTOnKqiVmZFwfbo3u +cq8n5jkCgYEA5zgzRLifbM0q34c2HX8pTegh+BH7MGCxtcoU2uRPaXiGkqQObHI9 +aItrgUQp+pAmKSBnEWJKgKsOh2Uf5ogjIeNuruGG/AXw/Pw2ORHNueenhDuhu69T +E2I4yxT3PPYbdzJ4ylBElfgm9WTrv7Wi7wSSfgQ6rEFdWukXa5vvsqMCgYEA1K+q +m1Jv9MGVIVc6MxhuOOj2Ym+qcWt/Pjvg78rR8SRsKwHlGTuv1rdWUSXYDr3f2Nf7 +6DdbJtaSx5f8gY/UG34yGZx5FFbYV03vcCYBaLXsi/b6H7vb/VW74Y5g6bXqnprv +4mcdVU7xfyNFgdbLPAP9sYVLijPYDwm0Qq3cz/8CgYBKSJz4BBR8AQI4JBl3qoXb +mKtpJmW76iTN0amXlWgJ64XYkMptftpJvxj/w6V08WDBL77NL/XdlpcpWozAJJac +6ZOCrcQPLd15eZH2Dck5Y7pG2l2gjbgz7wdt/0NbG3pBdj6mSNlwEPR7PDwdMD6z +aZWi1LsA4lMaxO4YTVXZ3wKBgQCoFhTNH/+e/YawjNFQJFSn4WUnMn0Pmhc7xfLl +T/NPkqtx6dN3d7ZmCQrMow33yJOqOje5tFXzgc0KtNE4S8Uj3T4XA5SlQGVFyjAa +/85JRM2naA8RGVSpCCKuBeoNilnb8zL2SOvjyboN8oAyNuDzk2vh6ihjFsoASHkP +4XwLXQKBgQC0k6rzt/plIwEiP56XXOqwOxJj6kuE/hx1zGIiGT6lWiOsih20Ym2T +kYegVFvuDIWmSIAxGONWyee1lfnJbEuaHRixWQTnHUpqrU0FSnZTubnR3q/faZat +hrvLDdpa0ydAKoMEn3qUPSrh3CdBfi3KTQAQn2Mlk7bGHh9ICWi3vA== +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/conf.d/apache2 b/testing/hosts/winnetou/etc/conf.d/apache2 new file mode 100644 index 000000000..cfb80a7d9 --- /dev/null +++ b/testing/hosts/winnetou/etc/conf.d/apache2 @@ -0,0 +1,52 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/strongswan/testing/hosts/winnetou/etc/conf.d/apache2,v 1.2 2006/01/06 12:21:21 as Exp $ + +# Config file for /etc/init.d/apache2 + +# An example from /etc/apache2/conf/modules.d/40_mod_ssl.conf: +# +# <IfDefine SSL> +# <IfModule !mod_ssl.c> +# LoadModule ssl_module extramodules/mod_ssl.so +# </IfModule> +# </IfDefine> +# +# This means that the mod_ssl.so DSO module is only loaded +# into the server when you pass "-D SSL" at startup. To +# enable WebDAV, add "-D DAV -D DAV_FS". If you installed +# mod_php then add "-D PHP4". For more options, please +# read the files in the /etc/apache2/conf/modules.d directory. + +APACHE2_OPTS="-D SSL -D DEFAULT_VHOST" + +# Extended options for advanced uses of Apache ONLY +# You don't need to edit these unless you are doing crazy Apache stuff +# As not having them set correctly, or feeding in an incorrect configuration +# via them will result in Apache failing to start +# YOU HAVE BEEN WARNED. + +# ServerRoot setting +#SERVERROOT=/etc/apache2 + +# Configuration file location +# - If this does NOT start with a '/', then it is treated relative to +# $SERVERROOT by Apache +#CONFIGFILE=conf/apache2.conf + +# Location to log startup errors to +# They are normally dumped to your terminal. +#STARTUPERRORLOG="/var/log/apache2/startuperror.log" + +# PID file location +# Note that this MUST match the setting in your configuration file! +PIDFILE=/var/run/apache2.pid + +# Restart style +# see http://httpd.apache.org/docs-2.0/stopping.html for more details +# the default is 'graceful', the other possible value is 'restart' +# If you use 'graceful', completion of the command does NOT imply that the system +# has finished restarting. Restart is finished only when all child processes +# have finished serving their current request sets. Read the URL for details. +#RESTARTSTYLE="restart" +RESTARTSTYLE="graceful" diff --git a/testing/hosts/winnetou/etc/conf.d/hostname b/testing/hosts/winnetou/etc/conf.d/hostname new file mode 100644 index 000000000..1bfa5acbd --- /dev/null +++ b/testing/hosts/winnetou/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=winnetou diff --git a/testing/hosts/winnetou/etc/conf.d/net b/testing/hosts/winnetou/etc/conf.d/net new file mode 100644 index 000000000..1a32153f3 --- /dev/null +++ b/testing/hosts/winnetou/etc/conf.d/net @@ -0,0 +1,10 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_WINNETOU broadcast 192.168.0.255 netmask 255.255.255.0" + +# For setting the default gateway +# +gateway="eth0/192.168.0.254" diff --git a/testing/hosts/winnetou/etc/conf.d/slapd b/testing/hosts/winnetou/etc/conf.d/slapd new file mode 100644 index 000000000..8d9ac4787 --- /dev/null +++ b/testing/hosts/winnetou/etc/conf.d/slapd @@ -0,0 +1,8 @@ +# conf.d file for the openldap-2.1 series +# +# To enable both the standard unciphered server and the ssl encrypted +# one uncomment this line or set any other server starting options +# you may desire. +# +# OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" +OPTS="-4" diff --git a/testing/hosts/winnetou/etc/hostname b/testing/hosts/winnetou/etc/hostname new file mode 100644 index 000000000..6338c7c73 --- /dev/null +++ b/testing/hosts/winnetou/etc/hostname @@ -0,0 +1 @@ +winnetou diff --git a/testing/hosts/winnetou/etc/init.d/apache2 b/testing/hosts/winnetou/etc/init.d/apache2 new file mode 100755 index 000000000..f54f3444a --- /dev/null +++ b/testing/hosts/winnetou/etc/init.d/apache2 @@ -0,0 +1,78 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="${opts} reload" + +[ "x${SERVERROOT}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}" +[ "x${CONFIGFILE}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}" +[ "x${STARTUPERRORLOG}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}" +# set a default for PIDFILE/RESTARTSTYLE for those that FAILED to follow +# instructiosn and update the conf.d/apache2 file. +# (bug #38787) +[ -z "${PIDFILE}" ] && PIDFILE=/var/run/apache2.pid +[ -z "${RESTARTSTYLE}" ] && RESTARTSTYLE="graceful" + +checkconfig() { + local myconf="/etc/apache2/conf/apache2.conf" + if [ "x${CONFIGFILE}" != "x" ]; then + if [ ${CONFIGFILE:0:1} = "/" ]; then + myconf="${CONFIGFILE}" + else + myconf="${SERVERROOT:-/usr/lib/apache2}/${CONFIGFILE}" + fi + fi + if [ ! -r "${myconf}" ]; then + eerror "Unable to read configuration file: ${myconf}" + return 1 + fi + if [ -z "${PIDFILE}" ]; then + eerror "\$PIDFILE is not set!" + eerror "Did you etc-update /etc/conf.d/apache2?" + return 1 + fi + if [ -z "${RESTARTSTYLE}" ]; then + eerror "\$RESTARTSTYLE is not set!" + eerror "Did you etc-update /etc/conf.d/apache2?" + return 1 + fi + /usr/sbin/apache2 -t ${APACHE2_OPTS} 1>/dev/null 2>&1 + ret=$? + if [ $ret -ne 0 ]; then + eerror "Apache2 has detected a syntax error in your configuration files:" + /usr/sbin/apache2 -t ${APACHE2_OPTS} + fi + return $ret +} + +depend() { + need net + use mysql dns logger netmount postgres + after sshd +} + +start() { + checkconfig || return 1 + ebegin "Starting apache2" + [ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache + [ -f /usr/lib/apache2/build/envvars ] && . /usr/lib/apache2/build/envvars + env -i PATH=$PATH /sbin/start-stop-daemon --quiet \ + --start --startas /usr/sbin/apache2 \ + --pidfile ${PIDFILE} -- -k start ${APACHE2_OPTS} + eend $? +} + +stop() { + ebegin "Stopping apache2" + /usr/sbin/apache2ctl stop >/dev/null + start-stop-daemon -o --quiet --stop --pidfile ${PIDFILE} + eend $? +} + +reload() { + # restarting apache2 is much easier than apache1. The server handles most of the work for us. + # see http://httpd.apache.org/docs-2.0/stopping.html for more details + ebegin "Restarting apache2" + /usr/sbin/apache2 ${APACHE2_OPTS} -k ${RESTARTSTYLE} + eend $? +} diff --git a/testing/hosts/winnetou/etc/init.d/net.eth0 b/testing/hosts/winnetou/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/winnetou/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/winnetou/etc/init.d/slapd b/testing/hosts/winnetou/etc/init.d/slapd new file mode 100755 index 000000000..d4c070b33 --- /dev/null +++ b/testing/hosts/winnetou/etc/init.d/slapd @@ -0,0 +1,25 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/strongswan/testing/hosts/winnetou/etc/init.d/slapd,v 1.2 2005/05/31 14:04:43 as Exp $ + +depend() { + need net +} + +start() { + ebegin "Starting ldap-server" + eval start-stop-daemon --start --quiet --pidfile /var/run/openldap/slapd.pid --exec /usr/lib/openldap/slapd -- -u ldap -g ldap "${OPTS}" + eend $? + if [ ! -e /var/lib/openldap-data/objectClass.bdb ] + then + sleep 5 + ldapadd -x -D "cn=Manager, o=Linux strongSwan, c=CH" -w tuxmux -f /etc/openldap/ldif.txt + fi +} + +stop() { + ebegin "Stopping ldap-server" + start-stop-daemon --stop --signal 2 --quiet --pidfile /var/run/openldap/slapd.pid + eend $? +} diff --git a/testing/hosts/winnetou/etc/openldap/ldif.txt b/testing/hosts/winnetou/etc/openldap/ldif.txt new file mode 100644 index 000000000..3eca4d6c6 --- /dev/null +++ b/testing/hosts/winnetou/etc/openldap/ldif.txt @@ -0,0 +1,40 @@ +dn: o=Linux strongSwan, c=CH +objectclass: organization +o: Linux strongSwan + +dn: cn=Manager,o=Linux strongSwan, c=CH +objectclass: organizationalRole +cn: Manager + +dn: cn=strongSwan Root CA, o=Linux strongSwan, c=CH +objectClass: organizationalRole +cn: strongSwan Root CA +objectClass: certificationAuthority +authorityRevocationList;binary:< file:///etc/openssl/strongswan.crl +certificateRevocationList;binary:< file:///etc/openssl/strongswan.crl +cACertificate;binary:< file:///etc/openssl/strongswanCert.der + +dn: ou=Research, o=Linux strongSwan, c=CH +objectclass: organizationalUnit +ou: Research + +dn: cn=Research CA, ou=Research, o=Linux strongSwan, c=CH +objectClass: organizationalRole +cn: Research CA +objectClass: certificationAuthority +authorityRevocationList;binary:< file:///etc/openssl/research/research.crl +certificateRevocationList;binary:< file:///etc/openssl/research/research.crl +cACertificate;binary:< file:///etc/openssl/research/researchCert.der + +dn: ou=Sales, o=Linux strongSwan, c=CH +objectclass: organizationalUnit +ou: Sales + +dn: cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH +objectClass: organizationalRole +cn: Sales CA +objectClass: certificationAuthority +authorityRevocationList;binary:< file:///etc/openssl/sales/sales.crl +certificateRevocationList;binary:< file:///etc/openssl/sales/sales.crl +cACertificate;binary:< file:///etc/openssl/sales/salesCert.der + diff --git a/testing/hosts/winnetou/etc/openldap/slapd.conf b/testing/hosts/winnetou/etc/openldap/slapd.conf new file mode 100644 index 000000000..4558ee2e2 --- /dev/null +++ b/testing/hosts/winnetou/etc/openldap/slapd.conf @@ -0,0 +1,68 @@ +# +# See slapd.conf(5) for details on configuration options. +# This file should NOT be world readable. +# +include /etc/openldap/schema/core.schema + +# Define global ACLs to disable default read access. + +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +#referral ldap://root.openldap.org + +pidfile /var/run/openldap/slapd.pid +argsfile /var/run/openldap/slapd.args + +# Load dynamic backend modules: +# modulepath /usr/lib/openldap/openldap +# moduleload back_bdb.la +# moduleload back_ldap.la +# moduleload back_ldbm.la +# moduleload back_passwd.la +# moduleload back_shell.la + +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 63-bit encryption for simple bind +# security ssf=1 update_ssf=112 simple_bind=64 + +# Sample access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# Directives needed to implement policy: +# access to dn.base="" by * read +# access to dn.base="cn=Subschema" by * read +# access to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! + +####################################################################### +# BDB database definitions +####################################################################### + +database bdb +checkpoint 32 30 # <kbyte> <min> +suffix "o=Linux strongSwan,c=CH" +rootdn "cn=Manager,o=Linux strongSwan,c=CH" +# Cleartext passwords, especially for the rootdn, should +# be avoid. See slappasswd(8) and slapd.conf(5) for details. +# Use of strong authentication encouraged. +rootpw tuxmux +# The database directory MUST exist prior to running slapd AND +# should only be accessible by the slapd and slap tools. +# Mode 700 recommended. +directory /var/lib/openldap-data +# Indices to maintain +index objectClass eq diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl new file mode 100755 index 000000000..5a8fd7782 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/generate-crl @@ -0,0 +1,35 @@ +#! /bin/sh +# generate a certificate revocation list (CRL) for the strongswan CA. +# +# Copyright (C) 2004 Andreas Steffen +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: generate-crl,v 1.2 2005/03/24 11:19:38 as Exp $ + +export COMMON_NAME=strongSwan + +cd /etc/openssl +openssl ca -config /etc/openssl/openssl.cnf -gencrl -out crl.pem +openssl crl -in crl.pem -outform der -out strongswan.crl +cp strongswan.crl /var/www/localhost/htdocs/ +cp strongswanCert.pem /var/www/localhost/htdocs/ +cp index.html /var/www/localhost/htdocs/ +cd /etc/openssl/research +openssl ca -config /etc/openssl/research/openssl.cnf -gencrl -out crl.pem +openssl crl -in crl.pem -outform der -out research.crl +cp research.crl /var/www/localhost/htdocs/ +cd /etc/openssl/sales +openssl ca -config /etc/openssl/sales/openssl.cnf -gencrl -out crl.pem +openssl crl -in crl.pem -outform der -out sales.crl +cp sales.crl /var/www/localhost/htdocs/ + diff --git a/testing/hosts/winnetou/etc/openssl/index.html b/testing/hosts/winnetou/etc/openssl/index.html new file mode 100644 index 000000000..1641768ae --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/index.html @@ -0,0 +1,36 @@ +<html> +<head> + <title>strongSwan Web Services</title> + <base target="_self"> +</head> + +<body bgcolor="#FFFFFF"> +<table border=0 cellpadding=0 cellspacing=0 width=600> + +<tr><td> + <h2>strongSwan Certification Authority</h2> + <ul> + <li> + <a href="strongswanCert.pem">Root CA Certificate</a> + </li> + </ul> + <ul> + <li> + <a href="strongswan.crl">Certificate Revocation List (CRL)</a> + </li> + </ul> + + <h2>strongSwan UML Testing Environment</h2> + <ul> + <li> + <a href="testresults/">UML Test Results</a> + </li> + </ul> + <a href="images/umlArchitecture_large.png" target="_blank"> + <img src="images/umlArchitecture_small.png" border="0"> + </a> + <hr> + <address>Linux strongSwan (<a href="http://www.strongswan.org">www.strongswan.org</a>)</address> +</td></tr> +</table> +</body> diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt new file mode 100644 index 000000000..4db6c2924 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/index.txt @@ -0,0 +1,15 @@ +V 090909111334Z 01 unknown /C=CH/O=Linux strongSwan/CN=mars.strongswan.org +V 090909111553Z 02 unknown /C=CH/O=Linux strongSwan/CN=sun.strongswan.org +V 090909111725Z 03 unknown /C=CH/O=Linux strongSwan/CN=moon.strongswan.org +V 090909111826Z 04 unknown /C=CH/O=Linux strongSwan/CN=venus.strongswan.org +V 090909112439Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswan.org +V 090909112534Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org +R 090909112548Z 041226135423Z 07 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 090909112651Z 08 unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org +V 091118162928Z 09 unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org +V 091231214318Z 0A unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 100216084430Z 0B unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org +R 140321062536Z 050621195214Z 0C unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA +V 140321062916Z 0D unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +V 100607191714Z 0E unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org +V 100620195806Z 0F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.attr b/testing/hosts/winnetou/etc/openssl/index.txt.attr new file mode 100644 index 000000000..8f7e63a34 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.attr.old b/testing/hosts/winnetou/etc/openssl/index.txt.attr.old new file mode 100644 index 000000000..8f7e63a34 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = yes diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old new file mode 100644 index 000000000..669702b0c --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/index.txt.old @@ -0,0 +1,14 @@ +V 090909111334Z 01 unknown /C=CH/O=Linux strongSwan/CN=mars.strongswan.org +V 090909111553Z 02 unknown /C=CH/O=Linux strongSwan/CN=sun.strongswan.org +V 090909111725Z 03 unknown /C=CH/O=Linux strongSwan/CN=moon.strongswan.org +V 090909111826Z 04 unknown /C=CH/O=Linux strongSwan/CN=venus.strongswan.org +V 090909112439Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswan.org +V 090909112534Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org +R 090909112548Z 041226135423Z 07 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 090909112651Z 08 unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org +V 091118162928Z 09 unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org +V 091231214318Z 0A unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 100216084430Z 0B unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org +R 140321062536Z 050621195214Z 0C unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA +V 140321062916Z 0D unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +V 100607191714Z 0E unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/newcerts/01.pem new file mode 100644 index 000000000..bf4ba9375 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/01.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDTCCAvWgAwIBAgIBATANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTMzNFoXDTA5MDkwOTExMTMzNFowRjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21hcnMu +c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA +zRlshdPlLggS7bpAlovamLpk9pxYUv3c8J4W0kV4knMPbSJywfctpce95iPZfU6V +ICV0fVOn/0utJG+0lMTYwcf5zvyIDPDccfsTT3WI+/PcaUpU6E5aaPAZxDG4na6w +UVUKiRcOyiuyXanulnu+b48nM7MgoMVZNDWY5q15enEZh1oO2Fy0DlKwweDKEuAi +8xSnu2RcZBFSZMDBCRCt3QgHGZygrzjP3vN6IgbvHL+YWIycMi5yiJR5EoCE6D17 +AT1dh0C8R9m1a0LUK8cKiN+akZQlK/AHYOCu77fg1vz84dMDRIs2PCUs6Ww/fvqy +N4r1BXg8XKTVH0zmqfQLAgMBAAGjggEFMIIBATAJBgNVHRMEAjAAMAsGA1UdDwQE +AwIDqDAdBgNVHQ4EFgQUbUWd4UeHwbTxn0Kr9io4nUGz6eAwbQYDVR0jBGYwZIAU +XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK +ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC +AQAwHgYDVR0RBBcwFYITbWFycy5zdHJvbmdzd2FuLm9yZzA5BgNVHR8EMjAwMC6g +LKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0G +CSqGSIb3DQEBBAUAA4IBAQBY0ab/r6K40Gni/db8apZGJqoO3XFPE4K7wi46LNZq +gB3mQgazLkf48luj06rcfux+vC/2W3DyqAtKD5JRccL0A5yxY55p3rrCNvz76Y9H +0AkVledhZTjd7SxdtsfxlRuok4nACwQii9GXcfs8qBc5QE8ZQRAtPwRxVx8hE19n +D3AllTSukJSC6nPJHf+4FXz1Dxt3aFZOnkJM4qERBjFREYE4jGLaz71HNNKshsYy +2UuwLAqsQk6zYogrJgpWLIuMVE2GHoth/rjpkzK/ErAwcV4OgMNdA1bHGl94soDy +zryvlFj1zaqlvdKayWATnrAQQTQeeYz3i0wF95CNR22b +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/02.pem b/testing/hosts/winnetou/etc/openssl/newcerts/02.pem new file mode 100644 index 000000000..e7825e3db --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/02.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8 +foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS +Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC +AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe +zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n +HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G +N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg +KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq +hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i +ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP +Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S +5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE +JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk +Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/03.pem b/testing/hosts/winnetou/etc/openssl/newcerts/03.pem new file mode 100644 index 000000000..d8fbfa1c9 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/03.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDTCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTcyNVoXDTA5MDkwOTExMTcyNVowRjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u +c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv +ri4QmsCnG0N7bxqeUZTQhcmZ/iyN4RsmHwFsiOc06xpnZ7Fbx9gzi/OswU6KGL+F +f9PfvOY36bDTZU8V2QaL30RQUXz3JlG+jUyP9zjqlhsvVYS/cImvqgo3uUkQ0YCD +v2SafTlaQfBOaPFElNEP/H2YSiyB6X80IcHsOMYpskVqPY8785FehjF+pxuyRCK+ +9HXmd+iWdnC09u4qgKRa3L0IamU3q1/BK/afkHK2IAIN4YgM7GzepHVD0f7Exf9U +esJEeh4hDZwSjcMzdybrY9XBxzGqLGPOF128jr+5weUZiBW+RzeBw/gsK1nSPeuX +Od2lPJjTGj+6V3YK6qibAgMBAAGjggEFMIIBATAJBgNVHRMEAjAAMAsGA1UdDwQE +AwIDqDAdBgNVHQ4EFgQU5eQQh2wqxL6thUlCpt52WDA6n8EwbQYDVR0jBGYwZIAU +XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK +ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC +AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA5BgNVHR8EMjAwMC6g +LKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0G +CSqGSIb3DQEBBAUAA4IBAQAvLykhZnqldrsMcbYB36WzWKk+hOihr5dU3fv8Z4ec +tsa3gzxXSefDCxGoezVJ4QXdpdNxxFn31A+r1gxKyGI5JL6EyWz6Y462zp9lE7nW +EIC4ldJwxAXqzDEMcJphO29hApyU9TWsWDa4kL5AKtLFLwH3/Uv/jAzAy+qXIO8h +wLtB+wcmhSo8OFY9kX/cyhht7eb7yD/r2e3wVBOCRk7jePe4yWhN8NJAKwfrEd1K +iGq15ymdmeomhplHRsLZwA2VsCspUNZ/eXjG21s3nEoxcCOcQUz3Q7q4ZgBTZoCW +kAc6FQ5zxoZrmzNWFqzb06jmUVlt7baGtdjT7rEt+dcp +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/04.pem b/testing/hosts/winnetou/etc/openssl/newcerts/04.pem new file mode 100644 index 000000000..25a6941b0 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/04.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTgyNloXDTA5MDkwOTExMTgyNlowRzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz +LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +mlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFCdhoDg6cxrsIvPAWy +Gs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3sDdvZFbyfmQTWSEyJ +thrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHOjpVNHn3BPUiL99ON +FiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iOvRGtJa/MfOWX6L/H +wquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjyGxw1lORlDQlZy2w/ +nu0BAbXS1pb/2AiF8jDpbQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E +BAMCA6gwHQYDVR0OBBYEFEqPlXBYJh1knX0Q61HMcn9LOZ6sMG0GA1UdIwRmMGSA +FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE +ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB +ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw +LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww +DQYJKoZIhvcNAQEEBQADggEBAEx3kXh2Z5CMH+tX6cJPyi6gSeOgXy7NBiNsEdXN +rwGp4DwN6uiSog4EYZJA203oqE3eaoYdBXKiOGvjW4vyigvpDr8H+MeW2HsNuMKX +PFpY4NucV0fJlzFhtkp31zTLHNESCgTqNIwGj+CbN0rxhHGE6502krnu+C12nJ7B +fdMzml1RmVp4JlZC5yfiTy0F2s/aH+8xQ2x509UoD+boNM9GR+IlWS2dDypISGid +hbM4rpiMLBj2riWD8HiuljkKQ6LemBXeZQXuIPlusl7cH/synNkHk8iiALM8xfGh +wTEmdo5Tp5sDI3cj3LVvhcsTxjiOA81her1F0itlxpEA/gA= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/05.pem b/testing/hosts/winnetou/etc/openssl/newcerts/05.pem new file mode 100644 index 000000000..e99ae8ec7 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/05.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer +GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4 +FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W +6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH +v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc +KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG +A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa +60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG +A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0 +cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu +Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn +L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo +2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ +AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5 +D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S +CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi +6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re +JGhV +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/06.pem b/testing/hosts/winnetou/etc/openssl/newcerts/06.pem new file mode 100644 index 000000000..199d3eee2 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/06.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHjCCAwagAwIBAgIBBjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjUzNFoXDTA5MDkwOTExMjUzNFowWDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDAJaejS3/lJfQHgw0nzvotgSQS8ey/6tvbx7s5RsWY +27x9K5xd44aPrvP2Qpyq34IXRY6uPlIqeUTQN7EKpLrWCxMOT36x5N0Co9J5UWRB +fJC141D+8+1RwJ9/baEIecpCvb0GfDOX0GXN5ltcJk82hZjE4y1yHC1FN7V3zdRg +xmloupPuon+X3bTmyMQ93NKkg48CQGtqtfwQ0MqPiOWu8MBhdztfOyu6aW3EgviF +ithLc02SeNzlpqB3M8GDfX+mr3OVDhhhC2OI+VRlZzz7KxJ13DUR2KkvLZR8Ak4E +5lRjkUnTYd/f3OQYxfjC8idUmj5ojR6Fb0x1tsV/glzXAgMBAAGjggEEMIIBADAJ +BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUaLN5EPOkOkVU3J1Ud0sl ++27OOHswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ +BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz +dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u +b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv +c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIyQLLxdeO8clplzRW9z +TRR3J0zSedvi2XlIZ/XCsv0ZVfoBLLWcDp3QrxNiVZXvXXtzjPsDs+DAveZF9LGq +0tIw1uT3JorbgNNrmWvxBvJoQTtSw4LQBuV7vF27jrposx3Hi5qtUXUDS6wVnDUI +5iORqsrddnoDuMN+Jt7oRcvKfYSNwTV+m0ZAHdB5a/ARWO5UILOrxEA/N72NcDYN +NdAd+bLaB38SbkSbh1xj/AGnrHxdJBF4h4mx4btc9gtBSh+dwBHOsn4TheqJ6bbw +7FlXBowQDCJIswKNhWfnIepQlM1KEzmq5YX43uZO2b7amRaIKqy2vNE7+UNFYBpE +Mto= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/newcerts/07.pem new file mode 100644 index 000000000..5b742fc9e --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/07.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV +mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo +5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv +VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN +IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5 +K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9 +OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB +56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM +2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q +O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL +LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3 +wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N +9IcgYi5x +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/newcerts/08.pem new file mode 100644 index 000000000..abd1554e5 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/08.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291 +bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx +2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2 +LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE +RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF +UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/ +98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB +ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq ++Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy +8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9 +Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR +P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV +UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt +0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT +5qILUTmI +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/09.pem b/testing/hosts/winnetou/etc/openssl/newcerts/09.pem new file mode 100644 index 000000000..6ca9a58a4 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/09.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIBCTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MTExOTE2MjkyOFoXDTA5MTExODE2MjkyOFowZzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag +U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqJ0y0yhF4iEygd8M73wNC +8RO590BqiD3Z3x9/5GSVCgfm+ao4hcg6CogNGicu4ybzgPoHt0V/El4D8JRkM8QB +pg/R7WI4L1ndSZGgTHcQ1vViXGr4PUsIiUR/EgVCSFs8+6Z73J4bJeMomy27Hn9w +s4leHbrqK87btA2TETV3UlCaDXC6NF8321ZH+D+8OFQaQ0SqKrThKMVYSTf+QdpX +BlI9vtce1SyS6Kiy4WLdXAt8mO7x+UjaVEzFNyi6SXb9FAGVvO9OXi3+mxm9eK2g ++s1kA4jqDvL17JftvJLKzFZ5irEuTe2+wHdQbwtlOkW1JFAsGL4O+r4NIoBuMBZF +AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU +iAcKuK7HwQdcvmhqxKV/gR83tVYwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg +YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT +d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT +b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E +MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u +Y3JsMA0GCSqGSIb3DQEBBAUAA4IBAQA4jOyh+neFCkXMZ1gK0o98qkBr3vYEO2a0 +wb2hDv8Alx6T5kwLgdhAzZ5urZpAdiWF3NWE+z9KnEWnpep9MRDXNM8uBglgBO2v +SAmV1BXNw2ZDe63w6QvQnezgUuWkrTShfduEDmb8j5jVdzoY+kTKwjLYHPG0Ec79 +Os3PPqXlfeUOkzWnhGVP2EtHCj8SppMdA/XIuwIq8aLN14SITi6gvo/cDMa5N6sT +Q/UBAOWsxbLReaD7l5OXnAJOg3t/RM36vpRqPseGaAgrKy8805QDU2RxsCHrxwzF +Wi/17J6nmX3e4PuwqPAI/4MsHlFdExRvSq/gXBN/Ib4AHGkUr0/q +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0A.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0A.pem new file mode 100644 index 000000000..8492fbd45 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/0A.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX +T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl +vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii +S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW +LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM +YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD +j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI +U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM +2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE +HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd +hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG +C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK +omBYfxqp +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0B.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0B.pem new file mode 100644 index 000000000..3c5c5d91d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/0B.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKjCCAxKgAwIBAgIBCzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDIxNzA4NDQzMFoXDTEwMDIxNjA4NDQzMFowZjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv +cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2Czo4Mds6Jz15DWop6ExWI +wWt9zU8Xu//ow1F0Kf9a4DLjo8qO+km3gybByNQQv1LrZ1eq+82Gy4RYXU1FnhC6 +dc8aobDmUQkY/8uYXtUmevKF5QcbYciDLp01W1q0DONAlc/9wmvJWhvjs9itWOBC +fAUcH3eUNvMgkc7hlQTqreZTH4zyJ6M54JibkTsyfVg/1yOT41zUU3b+vI/r9kNB +CYcp2DrdhdxX6mEiSTyDA/OMlgvCa7kPinUL4FJtQOFBozCsGcD28ONLc8Abkggf +NABXCclPVAXOTawJF3dRWcMhIlNLWxWMVRvEt5OkAEdy/mXGBvtVArmGnmA+8zcC +AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFA+6 +5KwThPKc9Vxn0048uRThft1tMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq +Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh +QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry +b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIeg +CjgR2yIGSuyrFolvEM/qoT3j+LpQREDZbx9BKr3kGmbqF75clwfpysJ4FlXZZ2CR +aH2GoPOZGXwsYc3poqGeeWSxo+fpt4XIGUc1eREXm1rKVMd+qb0u0PXuhq2+u1aY +ZJDY0yqUU2/7AInXjzG7lI120W+K6tuTM/5UVI5EPpAFwUVlCxnMh4Sl4VkgZ2Hw +YnO3/8SEHmHR03/GhOd5d8hD8a0AGHtdOPpZnUOR9PH5FszpQ/alUdn+NTdQ7O2v +Q8jqPCeQSAAkJbBBRvGA4bD6KXt1k74fXXUofiKWpQUozlO1Cc978Kfl5/do5bov +wTLSA/z7c8nVCVoZI9Y= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0C.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0C.pem new file mode 100644 index 000000000..c380a5110 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/0C.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1 +LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa +6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN +T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r +9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL +cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq +YO2C4HE= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0D.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0D.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/0D.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0E.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0E.pem new file mode 100644 index 000000000..956c217d9 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/0E.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYwODE5MTcxNFoXDTEwMDYwNzE5MTcxNFowSjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAMTF3dpbm5l +dG91LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqXuh16Ahe3S5vZ +F56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/u7BlyqpBUtLa +r14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRBK2gQGBUULo26 +sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqVjlKyqG7vdggk +wW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3MuOP3FNHIRMd2H +AcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNV +HQ8EBAMCA6gwHQYDVR0OBBYEFEMS0mbhrA4zDvmfKf4MntUNxkH4MG0GA1UdIwRm +MGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290 +IENBggEAMCIGA1UdEQQbMBmCF3dpbm5ldG91LnN0cm9uZ3N3YW4ub3JnMDkGA1Ud +HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dh +bi5jcmwwDQYJKoZIhvcNAQEEBQADggEBACO4+j1Mwt/lbkopeSJst46uFh7OtegG +6IWNE30i3l3FIn9slSwAOMtmZR0hAF8sExvk61EPlzCR/d9trSJ5+gyjPkeF/enw +p61rxPMT13Grzomi9gYlk6Q/0zLmE9uYWEY69Q0bEIUcfdZfwB+F7kesa946JNMc +yHfVEhKtvzmns9ueG0S/8E+6MPDeJv+JHQ++SdWSvOVg6JNxXDGusnim2fjM2Aln +JmqA6iU4IaPl9DUCuXlLOVv/YhwhviNEbF94upyHq8xjOZdzPbKroHXg/2yvalAw +4aXc/ZsnFxqsq3i6a2Fj1Y4J7gYsNO/HwA0xvKz3loOTqHaJqO/qeow= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0F.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0F.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/0F.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/ocspCert.pem new file mode 100644 index 000000000..6ca9a58a4 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ocspCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIBCTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MTExOTE2MjkyOFoXDTA5MTExODE2MjkyOFowZzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag +U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqJ0y0yhF4iEygd8M73wNC +8RO590BqiD3Z3x9/5GSVCgfm+ao4hcg6CogNGicu4ybzgPoHt0V/El4D8JRkM8QB +pg/R7WI4L1ndSZGgTHcQ1vViXGr4PUsIiUR/EgVCSFs8+6Z73J4bJeMomy27Hn9w +s4leHbrqK87btA2TETV3UlCaDXC6NF8321ZH+D+8OFQaQ0SqKrThKMVYSTf+QdpX +BlI9vtce1SyS6Kiy4WLdXAt8mO7x+UjaVEzFNyi6SXb9FAGVvO9OXi3+mxm9eK2g ++s1kA4jqDvL17JftvJLKzFZ5irEuTe2+wHdQbwtlOkW1JFAsGL4O+r4NIoBuMBZF +AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU +iAcKuK7HwQdcvmhqxKV/gR83tVYwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg +YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT +d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT +b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E +MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u +Y3JsMA0GCSqGSIb3DQEBBAUAA4IBAQA4jOyh+neFCkXMZ1gK0o98qkBr3vYEO2a0 +wb2hDv8Alx6T5kwLgdhAzZ5urZpAdiWF3NWE+z9KnEWnpep9MRDXNM8uBglgBO2v +SAmV1BXNw2ZDe63w6QvQnezgUuWkrTShfduEDmb8j5jVdzoY+kTKwjLYHPG0Ec79 +Os3PPqXlfeUOkzWnhGVP2EtHCj8SppMdA/XIuwIq8aLN14SITi6gvo/cDMa5N6sT +Q/UBAOWsxbLReaD7l5OXnAJOg3t/RM36vpRqPseGaAgrKy8805QDU2RxsCHrxwzF +Wi/17J6nmX3e4PuwqPAI/4MsHlFdExRvSq/gXBN/Ib4AHGkUr0/q +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/ocspKey.pem new file mode 100644 index 000000000..aa04e24c6 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ocspKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAqidMtMoReIhMoHfDO98DQvETufdAaog92d8ff+RklQoH5vmq +OIXIOgqIDRonLuMm84D6B7dFfxJeA/CUZDPEAaYP0e1iOC9Z3UmRoEx3ENb1Ylxq ++D1LCIlEfxIFQkhbPPume9yeGyXjKJstux5/cLOJXh266ivO27QNkxE1d1JQmg1w +ujRfN9tWR/g/vDhUGkNEqiq04SjFWEk3/kHaVwZSPb7XHtUskuiosuFi3VwLfJju +8flI2lRMxTcoukl2/RQBlbzvTl4t/psZvXitoPrNZAOI6g7y9eyX7bySysxWeYqx +Lk3tvsB3UG8LZTpFtSRQLBi+Dvq+DSKAbjAWRQIDAQABAoIBAC9SnMfPR0qhhcY/ +aMIXBT4x9E2NUZIPcDxPDOCx8bNtxcLcfxYXRxe1ZB9YvbsRm/yvS1qoAyETR6iK +2YqAxyu6Nr4o6l879B9SXbkaayb40ehYUbvWuC6Ylr9MkL/dhdqRFr1uH17ni6T4 +e6CGG+WJWVQeqqSEKJT8H6Zea+NSQi9UOsVgKIMiXr52j3hj8LraH/4FoOPlgg3r +mqrVcQlDYLtt+cufpFJLGzJhTylqlWCRWA6nwKFl8zZqGNaCswKkC3Ql47vlAmQT +ETl4MMpVsmezC8OcursRmgPJzRudnGg6RLyfTff9b/wFmIujvJLYeN/ILRFvFGkq +kiIWNIUCgYEA27y3N6lHJ8ommqquoyAVfQpc5Y1gFFXoE8VzkO1ts5B0N6r2DVvy +DFUT3cSWdBOsF2MykTnyAC0dVXRXTCTEI2AqdmgITOzs3Ydr0XlOPmuM3dOO060F +I9x4GsCpVcV/zWBZfJyUhNQqxpozrWNvHVgxrEc8pjD29iMLf+EsP2cCgYEAxjvP +9uQjRxWv3/5ZVEOpBnecZe+ysg0CgK0zt+nogTAn7ET27FFeW8BjcR6g+r57n9cu +X6EGdxuLexwoqvt3dO/rBF74knTe4ElDzEhcAoxnZPnJrJ6aST0KZ7lGoX5UW7wp +eyW7HXKpd1THY40v7aHhaSr4362kMTFpPvxxrXMCgYAkDa2+Kz8qjyeQXwryZvQ/ +pPCjFXQ7QfEnNVGF6P8D5GK9M4bVoE1xqo/s5jGNcCDfYX5Nh8VmNADJIaKlMq8f +4sp0zRL3lDQ1EOAm6ZFl+n2NdAXOQ2hBfw4RzaS7FwGmL/Xe1U4lES7HkUuDWnpD +xVG5I6MW3ZfXwN5FKCv7ZwKBgByIVWmq8qzzoSnzeTYYuwZ0Ru2hL65TEw4kX/JT +16RoowZt8sCXAabhLS8GApO0wSSDm2gmTEDulQf2SKA7q7kII2KwrMSfz8imovyP +WbcAMI2nKnEPLxPllk7RqynpfgjqL2pLRwB5FY1YhY59ru1cRI6XodTIMH7oJsbr +HQ2jAoGADHlVLAf9hQTYMrLCaO4mjOlJwRa19e1l47o4Lt1H+cGh96Jc4i7Hfkmv +e/j/ZF4XqtjvmZIR2xevL2+/pPVuMYV0hEWyDQzoUgM6OXF4smSG3N+SrDTSmM8I +XE9Ohc2JL3IKWN8SarsTUCrqle7UakmbYTUJqH9bJwGyvm3Ro1o= +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf new file mode 100644 index 000000000..dbe31abbd --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf @@ -0,0 +1,182 @@ +# openssl.cnf - OpenSSL configuration file for the ZHW PKI +# Mario Strasser <mario.strasser@zhwin.ch> +# +# $Id: openssl.cnf,v 1.2 2005/08/15 21:25:22 as Exp $ +# + +# This definitions were set by the ca_init script DO NOT change +# them manualy. +CAHOME = /etc/openssl +RANDFILE = $CAHOME/.rand + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +[ new_oids ] +SmartcardLogin = 1.3.6.1.4.1.311.20.2 +ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 + +#################################################################### + +[ ca ] +default_ca = root_ca # The default ca section + +#################################################################### + +[ root_ca ] + +dir = $CAHOME +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/strongswanCert.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/strongswanKey.pem # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = host_ext # The extentions to add to the cert + +crl_extensions = crl_ext # The extentions to add to the CRL + +default_days = 1825 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = md5 # which md to use. +preserve = no # keep passed DN ordering +email_in_dn = no # allow/forbid EMail in DN + +policy = policy_match # specifying how similar the request must look + +#################################################################### + +# the 'match' policy +[ policy_match ] +countryName = match +stateOrProvinceName = optional +localityName = optional +organizationName = match +organizationalUnitName = optional +userId = optional +serialNumber = optional +commonName = supplied +emailAddress = optional + +# the 'anything' policy +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### + +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = ca_ext # The extentions to add to the self signed cert +# req_extensions = v3_req # The extensions to add to a certificate request + + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +#################################################################### + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = CH +countryName_min = 2 +countryName_max = 2 + +#stateOrProvinceName = State or Province Name (full name) +#stateOrProvinceName_default = ZH + +#localityName = Locality Name (eg, city) +#localityName_default = Winterthur + +organizationName = Organization Name (eg, company) +organizationName_default = Linux strongSwan + +0.organizationalUnitName = Organizational Unit Name (eg, section) +#0.organizationalUnitName_default = Research + +#1.organizationalUnitName = Type (eg, Staff) +#1.organizationalUnitName_default = Staff + +#userId = UID + +commonName = Common Name (eg, YOUR name) +commonName_default = $ENV::COMMON_NAME +commonName_max = 64 + +#0.emailAddress = Email Address (eg, foo@bar.com) +#0.emailAddress_min = 0 +#0.emailAddress_max = 40 + +#1.emailAddress = Second Email Address (eg, foo@bar.com) +#1.emailAddress_min = 0 +#1.emailAddress_max = 40 + +#################################################################### + +[ req_attributes ] + +#################################################################### + +[ host_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = DNS:$ENV::COMMON_NAME +#extendedKeyUsage = OCSPSigner +crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl + +#################################################################### + +[ user_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = email:$ENV::COMMON_NAME +crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl + +#################################################################### + +[ ca_ext ] + +basicConstraints = critical, CA:TRUE +keyUsage = cRLSign, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always + +#################################################################### + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +#issuerAltName = issuer:copy +authorityKeyIdentifier = keyid:always, issuer:always + +# eof diff --git a/testing/hosts/winnetou/etc/openssl/research/.rand b/testing/hosts/winnetou/etc/openssl/research/.rand Binary files differnew file mode 100644 index 000000000..7479c2979 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/.rand diff --git a/testing/hosts/winnetou/etc/openssl/research/carolReq.pem b/testing/hosts/winnetou/etc/openssl/research/carolReq.pem new file mode 100644 index 000000000..f2a6b5c22 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/carolReq.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xETAPBgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdz +d2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1 +ID41edDUgUjRdZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh +8ZcR+TT8x0mOdYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+D +Jl9XK9TtId5u57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yq +GdPWODaN/Enw5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1a +X7+M+IeYVwjIhzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4F +jR8nhH4ApYMCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQA9OKM8HKu5Fp/HRsdS +3Z/tuLVjwijVq/OIge1PnoW7Ri2hnTpWeaWcU2wIexsxPJR6kYwqp9NfxM73uUUU +e/ROCU+kZxSuzfV3SMMI8bsjufuldxKUXs1B8Nit1Qkhhj1/4uN6FRzQ5E9vz0Yf +OuVVJxMIEgQRdBTcZ8Cuf23Mcq+sBa/2OXD/y6WTUNrXvjTjmGWv1LnryB6Ro8se +ndI7bIiMZ/sSOrhOWrii/655bpUSYIb0RCzOnbdNAevbn/bLMEpj0qiDSam88Y/6 +FIY5sDCsdlpHsI2vkIrvPo4PUE+yzBhezmrLbVoiHjVoZhr1h091777Bomg/oUxv +beEk +-----END CERTIFICATE REQUEST----- diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt new file mode 100644 index 000000000..4bd650072 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt @@ -0,0 +1,2 @@ +V 100322070423Z 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 100615195710Z 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.attr b/testing/hosts/winnetou/etc/openssl/research/index.txt.attr new file mode 100644 index 000000000..8f7e63a34 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.attr.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.attr.old new file mode 100644 index 000000000..8f7e63a34 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = yes diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old new file mode 100644 index 000000000..148bab7d6 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old @@ -0,0 +1 @@ +V 100322070423Z 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/01.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/01.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/02.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/02.pem new file mode 100644 index 000000000..90e207c4b --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/02.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx +MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM +BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH +/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq +4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6 +XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562 +kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj +gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1 +p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD +ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO +clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB +b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI +koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf +Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA +/szZoxwnE2iHtIoMAhfHZpRvOkg= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf new file mode 100644 index 000000000..b5afd3d2e --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf @@ -0,0 +1,181 @@ +# openssl.cnf - OpenSSL configuration file for the ZHW PKI +# Mario Strasser <mario.strasser@zhwin.ch> +# +# $Id: openssl.cnf,v 1.1 2005/03/24 11:24:07 as Exp $ +# + +# This definitions were set by the ca_init script DO NOT change +# them manualy. +CAHOME = /etc/openssl/research +RANDFILE = $CAHOME/.rand + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +[ new_oids ] +SmartcardLogin = 1.3.6.1.4.1.311.20.2 +ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 + +#################################################################### + +[ ca ] +default_ca = root_ca # The default ca section + +#################################################################### + +[ root_ca ] + +dir = $CAHOME +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/researchCert.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/researchKey.pem # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = host_ext # The extentions to add to the cert + +crl_extensions = crl_ext # The extentions to add to the CRL + +default_days = 1825 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering +email_in_dn = no # allow/forbid EMail in DN + +policy = policy_match # specifying how similar the request must look + +#################################################################### + +# the 'match' policy +[ policy_match ] +countryName = match +stateOrProvinceName = optional +localityName = optional +organizationName = match +organizationalUnitName = optional +userId = optional +commonName = supplied +emailAddress = optional + +# the 'anything' policy +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### + +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = ca_ext # The extentions to add to the self signed cert +# req_extensions = v3_req # The extensions to add to a certificate request + + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +#################################################################### + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = CH +countryName_min = 2 +countryName_max = 2 + +#stateOrProvinceName = State or Province Name (full name) +#stateOrProvinceName_default = ZH + +#localityName = Locality Name (eg, city) +#localityName_default = Winterthur + +organizationName = Organization Name (eg, company) +organizationName_default = Linux strongSwan + +0.organizationalUnitName = Organizational Unit Name (eg, section) +0.organizationalUnitName_default = Research + +#1.organizationalUnitName = Type (eg, Staff) +#1.organizationalUnitName_default = Staff + +#userId = UID + +commonName = Common Name (eg, YOUR name) +commonName_default = $ENV::COMMON_NAME +commonName_max = 64 + +#0.emailAddress = Email Address (eg, foo@bar.com) +#0.emailAddress_min = 0 +#0.emailAddress_max = 40 + +#1.emailAddress = Second Email Address (eg, foo@bar.com) +#1.emailAddress_min = 0 +#1.emailAddress_max = 40 + +#################################################################### + +[ req_attributes ] + +#################################################################### + +[ host_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = DNS:$ENV::COMMON_NAME +#extendedKeyUsage = OCSPSigner +crlDistributionPoints = URI:http://crl.strongswan.org/research.crl + +#################################################################### + +[ user_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = email:$ENV::COMMON_NAME +crlDistributionPoints = URI:http://crl.strongswan.org/research.crl + +#################################################################### + +[ ca_ext ] + +basicConstraints = critical, CA:TRUE +keyUsage = cRLSign, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always + +#################################################################### + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +#issuerAltName = issuer:copy +authorityKeyIdentifier = keyid:always, issuer:always + +# eof diff --git a/testing/hosts/winnetou/etc/openssl/research/researchCert.der b/testing/hosts/winnetou/etc/openssl/research/researchCert.der Binary files differnew file mode 100644 index 000000000..2a52f620d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/researchCert.der diff --git a/testing/hosts/winnetou/etc/openssl/research/researchCert.pem b/testing/hosts/winnetou/etc/openssl/research/researchCert.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/researchKey.pem b/testing/hosts/winnetou/etc/openssl/research/researchKey.pem new file mode 100644 index 000000000..5e6f030f9 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/researchKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAtjmyOqbgB1tYpz9PslqFanL3G109seeAE3qVuelhod+vGcay ++YMUIVkcJ3t6BGpD8C4kcdwS/cNR18lZYDKlWdS92VynnyEGOnF9M9c/0gMHHNBp +DJTOwTEgZY5VRjZ7vEnkEoGddWSiTeG1jgevUZ2o2H7csSZt6AkGeBNFJHHg8onn +gU79vvwtTMH6szGvPHD+WcjyMSYC0qW6BDtz1q4x4ULP42aVJ+dKhaEc3mqb7SI0 +rLQL7bki4Tw2r6LeO0GIjwHAGodje7Yi5+VSH01z139Hq8axE8wezfRfUdr+bRSD +j3j7DCrB8QFlGPPEyYwX/VIbgjUTdMM4neyuOQIDAQABAoIBAA0xhjb66BOASJ3r +VpDaPvijFEMV8CaWVU6TvI12WUxIDrx2B3VLSUTU19X/+aiiLQMRxC++OF3JK37N +JDxzzkb/wTMgoz5BPNs0ZlU/i25gK76pVEHF8GZKcUcJFCF+Rl0umGXCnqzmOV4c +LnH3Gnl1SclK/h2RY7m+FYrSElp+COHYBnW0agLIfRv/fF/1yApBP6jGegEFXp5z +ZEwmmS2GbjVRq7ClqXfadQaPwRmGuueChq9S0DaY2z6/EAQJM/mHZYkeZGNTJqTk +KWY0RmFZlCXRIxs+hG1agPZ/jdRwnxghPDcpnNZHKXLyoQhUa9oXn+RuUxPdK/s3 +9nB30xECgYEA6snKErKb04Sj6sB0/ONMK3OENVcbBYZlhyzymuSgpFY8FhhyDFIG +H80eMGzlusvrBfV7OfJd17Mwuy0H3WBSGapbqXUa/vNc37VSGCiTObz/5RDhyU1N +6zq5RZKPVDgnJ3VBTEr8Ito6b5iZWtyaRw0e4Xv1K0tdQPTLe2TaAEUCgYEAxrA6 +A94jBZWMwrXrUa7DCi0Y7BPh8hbZwHH1qEr8xNALnXGHSA5BbhjqLkYCWP5GlvrC +G0TNrX1SMTv739wQL/GqvLTM1Jc/jrmPkLBymLNyweaKBXFt1qJDOdvtMwZdDo0y +9hKXfyCDMURi3JhP/GLzA3bUruw28njZYgWI92UCgYBSKHyKoG+Ay7hkTCZj29Hq +noiT9cAh5c6fR645X2mLOBXckX9PKmC0Ph2jSmf1PqgmNKmDNHl8IlsaFH7dC3iP +PJrIqI7iyhwkuBlbFM+385gD+y1XOLLcbncojkmTafbhitlnrhGezIiIRnjbX7io +xkGZG7xGAyBFu6N8sWTLlQKBgHdPN2c/KxSdWytJBofEQ8aGkiKhRdqTsiqHxBZN +AUBGFdNzauLv/IZaW7VxwNMjzcu3xHuPc1qsmICMHpGsmePQYNB0WVOHh1jzQKyH +6CieCVk6UMM3+9cZFPlXgTZUqeilDWcKfwKNyXn6MMt6gv1xhbAc2VY47j3oJ9Fe +tYKpAoGAAWY1MTen71hatSFA7UGweuTqok5vhp0CPtGwCXLNHUcEhy1Fc640EO9i +8i35fLA79haYWgpZ+GvrW9eYLPB8djidGSfzajc5C2CITHOrDQ6YQzKhwLjRHvB5 +gFQ8pdzFiXmSEvtfRwhoJvW19wdCZZx41VZ554ILOYrjtkntOB8= +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial new file mode 100644 index 000000000..75016ea36 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/serial @@ -0,0 +1 @@ +03 diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old new file mode 100644 index 000000000..9e22bcb8e --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/serial.old @@ -0,0 +1 @@ +02 diff --git a/testing/hosts/winnetou/etc/openssl/sales/.rand b/testing/hosts/winnetou/etc/openssl/sales/.rand Binary files differnew file mode 100644 index 000000000..dd489598f --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/.rand diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt new file mode 100644 index 000000000..5093b34e9 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt @@ -0,0 +1,2 @@ +V 100322071017Z 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org +V 100615195536Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.attr b/testing/hosts/winnetou/etc/openssl/sales/index.txt.attr new file mode 100644 index 000000000..8f7e63a34 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old new file mode 100644 index 000000000..7378ebb8a --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old @@ -0,0 +1 @@ +V 100322071017Z 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/01.pem new file mode 100644 index 000000000..b76032480 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/01.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT +BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS +zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+ +1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN +P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+ ++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP +aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY +GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 +YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P +p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw +ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6 +Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA +DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/ +Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+ +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/02.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/02.pem new file mode 100644 index 000000000..efb939e3a --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/02.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT +CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf +rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID +BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx +4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q +m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha +/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM +x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB +AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr +Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup +Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg +pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL +rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S +uaJ2yDwEhOHn3ihb1bqlanM= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf new file mode 100644 index 000000000..adb204bc2 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf @@ -0,0 +1,181 @@ +# openssl.cnf - OpenSSL configuration file for the ZHW PKI +# Mario Strasser <mario.strasser@zhwin.ch> +# +# $Id: openssl.cnf,v 1.1 2005/03/24 11:24:07 as Exp $ +# + +# This definitions were set by the ca_init script DO NOT change +# them manualy. +CAHOME = /etc/openssl/sales +RANDFILE = $CAHOME/.rand + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +[ new_oids ] +SmartcardLogin = 1.3.6.1.4.1.311.20.2 +ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 + +#################################################################### + +[ ca ] +default_ca = root_ca # The default ca section + +#################################################################### + +[ root_ca ] + +dir = $CAHOME +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/salesCert.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/salesKey.pem # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = host_ext # The extentions to add to the cert + +crl_extensions = crl_ext # The extentions to add to the CRL + +default_days = 1825 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering +email_in_dn = no # allow/forbid EMail in DN + +policy = policy_match # specifying how similar the request must look + +#################################################################### + +# the 'match' policy +[ policy_match ] +countryName = match +stateOrProvinceName = optional +localityName = optional +organizationName = match +organizationalUnitName = optional +userId = optional +commonName = supplied +emailAddress = optional + +# the 'anything' policy +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### + +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = ca_ext # The extentions to add to the self signed cert +# req_extensions = v3_req # The extensions to add to a certificate request + + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +#################################################################### + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = CH +countryName_min = 2 +countryName_max = 2 + +#stateOrProvinceName = State or Province Name (full name) +#stateOrProvinceName_default = ZH + +#localityName = Locality Name (eg, city) +#localityName_default = Winterthur + +organizationName = Organization Name (eg, company) +organizationName_default = Linux strongSwan + +0.organizationalUnitName = Organizational Unit Name (eg, section) +0.organizationalUnitName_default = Sales + +#1.organizationalUnitName = Type (eg, Staff) +#1.organizationalUnitName_default = Staff + +#userId = UID + +commonName = Common Name (eg, YOUR name) +commonName_default = $ENV::COMMON_NAME +commonName_max = 64 + +#0.emailAddress = Email Address (eg, foo@bar.com) +#0.emailAddress_min = 0 +#0.emailAddress_max = 40 + +#1.emailAddress = Second Email Address (eg, foo@bar.com) +#1.emailAddress_min = 0 +#1.emailAddress_max = 40 + +#################################################################### + +[ req_attributes ] + +#################################################################### + +[ host_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = DNS:$ENV::COMMON_NAME +#extendedKeyUsage = OCSPSigner +crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl + +#################################################################### + +[ user_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = email:$ENV::COMMON_NAME +crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl + +#################################################################### + +[ ca_ext ] + +basicConstraints = critical, CA:TRUE +keyUsage = cRLSign, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always + +#################################################################### + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +#issuerAltName = issuer:copy +authorityKeyIdentifier = keyid:always, issuer:always + +# eof diff --git a/testing/hosts/winnetou/etc/openssl/sales/salesCert.der b/testing/hosts/winnetou/etc/openssl/sales/salesCert.der Binary files differnew file mode 100644 index 000000000..529fd2d45 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/salesCert.der diff --git a/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem b/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/salesKey.pem b/testing/hosts/winnetou/etc/openssl/sales/salesKey.pem new file mode 100644 index 000000000..96dab2928 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/salesKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAwk5NJpmMN7lRH6Eluh1wTjRYHFab6vQWIP4UtzZzSEf9Bxab +Vd+qdz2po88ajE7YF/BeAUQd851DMca62GGy90w+SZY/Vne4OvCxyquYvKrgkjzt +7FJ6fWCCYJUSJvnlPh83GtMgYlqh7omf2/1nAbYH5SvecUD/B1yRJ2onFzpcv0Mp +xGTdPFm2/1K4N+0T0bvzs7o8lLJ/JRiGV3PURl7k9OxSgBsEnQMNcnHfnraQO19B +3B7Nq3QsDI6xVptir/Qb98FnAst6vioYXb7cKy8/uM1eeFFh5K/b7iLaYCOBsFEj +UDeKqhTc2rW88CrOt6Q4j9FX0et70vWvxfV0gQIDAQABAoIBACypguJUeP52Akea +6ukUyzOupHIfFkezQ0LiJDDYuzbqFScD80CR4MT3z35vpFKL7O/TuEfiOGA+zasr +WtdR3akqRUb02iot6pLhsHw9ZSY4wNXcW3PuoWkgPdelbD65QhA9bJUl4lO5MW97 +Atu2K28hQD9VDhRKNFSk2liM9d9IjGeO3Eg0FnN/gDiFRHN0A5vrjqnmkUWqeJzh +561pomDuNxyGK1NkgZ+Cc75e+KJYwLX4sSzPiyMJhTt+ERLBb1ngcXpjcRn9Kjq+ +1QCsFbeuk1F034GnMEf5b1flu6vrmpWC3wnNQLRLuYommQ1O+uQtl9be2a+olCTd +jD8aAuECgYEA5SnJtLNPQPTj6LzIE9EGZzp78OOzJaHDNfungGAAnv8xV55ap8g1 +3KORa+QKwpCa2MgV9UKtsuql1OjfslYjFARaOp24Qh7z+GFfzsWX4V7C4zlYbGfj +Fe905/5sNeZnZwgiwKK0kQpZ/dyS1RI1koXphVBAb+sLh9gRdm3Qw/sCgYEA2Q+B +Rv6WpymV09Vp7c3yHDWmVwLJCoFZoWgSuu6XPUF1MuH3omYN211M3lA526OiH1ce +wqY1jtA5vSe0w7ZVMhBYkNG6GI/aKBdMzpCoBtWYW/QZ+fl6F36DkEKPBPloPxLP +0hR9xCsBvU/6VlSlBPGNFmsX5eNNMeHY68WdhLMCgYBlNynByBjPJdqr5wWvyvi7 +C1fGs6tiiaoA49+9kal0kF4oxuZfiMxRYWVPc+9UtC3QZb9dDlBN39nSyfBTgjwI +EUwQ66yAd89l+wwn9Zn5jrMhTSjC6Leh7puCBBujStqM5UkEMFj0XtAUkiHAPkSv +LLpRiXqMdBIps8MyvZohlQKBgEPB7U8mJg0klBq+YgTT5yIbNUOwIOXgnwQdossr +s5Zxmo45r73IMccqhtZXINiJahByd623iLx+D6gWfv0hK9Mm+x6p+Xe1YBpnu5g3 +29vWTWtW9czsrcoruhIMVOzuljYqPymLL/9OlYptLu5IGgNDDBHVeG5Q2EYcBEUF +OTi1AoGBAND42O8VS8tGsoR7QLeEwxjT8hCvSXYoTWcCVzbKjsPdGBkX2LiKwEr1 +B5pOfvNfFEgSmRm4LU5R/pG7seFQzlaAZCAavv2NUfC9F+5hwx95VHKXjZF+yE4m +J6e8kb0p2zcyCZCC/61kztGk7FqH9sb/6E+6CDMP+1QYxytrkYYR +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial new file mode 100644 index 000000000..75016ea36 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/serial @@ -0,0 +1 @@ +03 diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old new file mode 100644 index 000000000..9e22bcb8e --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old @@ -0,0 +1 @@ +02 diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial new file mode 100644 index 000000000..f599e28b8 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/serial @@ -0,0 +1 @@ +10 diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old new file mode 100644 index 000000000..0ced2f35e --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/serial.old @@ -0,0 +1 @@ +0F diff --git a/testing/hosts/winnetou/etc/openssl/start-ocsp b/testing/hosts/winnetou/etc/openssl/start-ocsp new file mode 100755 index 000000000..bdc5dab38 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/start-ocsp @@ -0,0 +1,20 @@ +#! /bin/sh +# start an OpenSSL-based OCSP server +# +# Copyright (C) 2004 Andreas Steffen +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: start-ocsp,v 1.3 2005/01/01 18:12:14 as Exp $ + +cd /etc/openssl +openssl ocsp -index index.txt -CA strongswanCert.pem -port 8880 -rkey ocspKey.pem -rsigner ocspCert.pem -nmin 5 < /dev/null > /dev/null 2>&1 & diff --git a/testing/hosts/winnetou/etc/openssl/strongswanCert.der b/testing/hosts/winnetou/etc/openssl/strongswanCert.der Binary files differnew file mode 100644 index 000000000..c11cf21da --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/strongswanCert.der diff --git a/testing/hosts/winnetou/etc/openssl/strongswanCert.pem b/testing/hosts/winnetou/etc/openssl/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/strongswanKey.pem b/testing/hosts/winnetou/etc/openssl/strongswanKey.pem new file mode 100644 index 000000000..24de3a820 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/strongswanKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAv/JfYuo9Vm5Ys8h6ScrzrGHPqWN3c02ELbP4/W6gI/ewEy5m +JlASMXOGcpxtfEJ6jZ8We+E46OuuKxK5WTO67zajFcPd8iTO5Lub1XgTXQRnOCYp +Yh/5a41F9uAC5Qg2YtzhgYBcFAs/LOk/g67jyGHP9hCjnwGJyzo8fLm/fioJVE4h +cO+qGP3U/yD6lL4XbX/s/4IfaNFxUgQdm0bwz8/B5M9D3l0/Olh3Y6/pJn9TsRaZ +syZPxVxRifVoKHEWbLmDB5UFaWQfow/7UN4TT+0vlzzvGjkoJ4YrxN2ql7uwFELi +k8QQcNByJNS+R64nU+sr7UvB2pHGjseAxGIPDwIDAQABAoIBAFaigsMWjpDQRWD/ +/5IG9Gy9yQjfSC7Wse4e6ScaI1WYmfROYPSx90QyrGBWkmQfbUk2oONRCGq41WfD +j7zfSGRn+Lv+J9L/IhLDStbS14qITj5dmxga7mzI2udOvH+7cTC2GWJmGSlC2kTf +EjfRXCY5X6/kWrWN8C+2HU7+V5wNfMqFhhMnG3VTgPBRWeQ8oTgYdZ4jYolOt9/t +DhXtw/eEvfDb1Rg8BYB4wgm5PbOshh4L6nFEnemHDZltx1H5ZtAKTrds2ZYdGIM/ +3V1b7/a+aKltoA2ctsp/U6aTDHdql4VPop01MHZHZZ0bAAw9a2QirBvpjjwiDIgd +4K0EpYECgYEA6JHP9kV3KDMbU+H5rbAcp/I81MrpZ79Pvx2zO+p6Nrieqpgxgy1U +PjE2td3RAWiJflrz7p7Kez/Y01BWIzQXjZQ1oRTYYByVqW9O1SjyGb3TIgO4pXqb +0yr2y+yl8c6tD7RUYVrlNhBsln8vxZ1BVssM8iFuOXdIQTN3m8HY/HECgYEA00jc +Hd7isVsBpBRgFuAS5o+jNsAq50GA2uRo2r2/hWQSeeCgm+0553u7gd+kMrd3q37l +1xp1qYrEaMrZmBvpb0kDkIL+aT8trE6dYiNpAOvPoSd0SADH1uFMIK9YVxtRT1W6 +BklQ1epYDd+W8Or5kxMCtgSW/1IUYGaKxdz/g38CgYEAymGIvN/6Lws6LqaopRJp +/WP4t5vTvKpodQEdZXhH3bKOsBk8jNA3TN96ooxiQn17mG8BcpbP0KzgvBJewsej +71oXyRLgr9JwEj+ANFIrS2c6gZEHb0jgrMPoe9B1H5UgWFguTYHRkFh+hgArzCVq +JGMR4upghrVcNRDadrobXqECgYEAndKc6YsmFoj+TswRgsTaGXNN3YXqBlg9okRf +tpVqTH+V9Yg/MHoheLJKPBcMFf5J28asdOME5SIM2KI9q4ud8Uy+5uGSnJdezIjk +svv0YYXD0IMiLu62V+Ju9TNFb7uuHu7QSAXX5hJot+Q+YbODvcLDkacYC5wKMIAo +ROhxzI0CgYAQlsrMUOJoVQ93pMBMxy4e2/m4vkchCvk9LIdnGlZt60ee6yDGasYq +Qya5/bwekHXc6XRv+98EtBJ8My6rh6FWZutM3vUUtibWcNFVe/Fj6es+Tvv2M/DT +fL6Ui9cY9l/CH0DyoDbOuI1ysF5+L7hxH6HoGERTazY6P8fHQgooaA== +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/runlevels/default/apache2 b/testing/hosts/winnetou/etc/runlevels/default/apache2 new file mode 100755 index 000000000..f54f3444a --- /dev/null +++ b/testing/hosts/winnetou/etc/runlevels/default/apache2 @@ -0,0 +1,78 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="${opts} reload" + +[ "x${SERVERROOT}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}" +[ "x${CONFIGFILE}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}" +[ "x${STARTUPERRORLOG}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}" +# set a default for PIDFILE/RESTARTSTYLE for those that FAILED to follow +# instructiosn and update the conf.d/apache2 file. +# (bug #38787) +[ -z "${PIDFILE}" ] && PIDFILE=/var/run/apache2.pid +[ -z "${RESTARTSTYLE}" ] && RESTARTSTYLE="graceful" + +checkconfig() { + local myconf="/etc/apache2/conf/apache2.conf" + if [ "x${CONFIGFILE}" != "x" ]; then + if [ ${CONFIGFILE:0:1} = "/" ]; then + myconf="${CONFIGFILE}" + else + myconf="${SERVERROOT:-/usr/lib/apache2}/${CONFIGFILE}" + fi + fi + if [ ! -r "${myconf}" ]; then + eerror "Unable to read configuration file: ${myconf}" + return 1 + fi + if [ -z "${PIDFILE}" ]; then + eerror "\$PIDFILE is not set!" + eerror "Did you etc-update /etc/conf.d/apache2?" + return 1 + fi + if [ -z "${RESTARTSTYLE}" ]; then + eerror "\$RESTARTSTYLE is not set!" + eerror "Did you etc-update /etc/conf.d/apache2?" + return 1 + fi + /usr/sbin/apache2 -t ${APACHE2_OPTS} 1>/dev/null 2>&1 + ret=$? + if [ $ret -ne 0 ]; then + eerror "Apache2 has detected a syntax error in your configuration files:" + /usr/sbin/apache2 -t ${APACHE2_OPTS} + fi + return $ret +} + +depend() { + need net + use mysql dns logger netmount postgres + after sshd +} + +start() { + checkconfig || return 1 + ebegin "Starting apache2" + [ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache + [ -f /usr/lib/apache2/build/envvars ] && . /usr/lib/apache2/build/envvars + env -i PATH=$PATH /sbin/start-stop-daemon --quiet \ + --start --startas /usr/sbin/apache2 \ + --pidfile ${PIDFILE} -- -k start ${APACHE2_OPTS} + eend $? +} + +stop() { + ebegin "Stopping apache2" + /usr/sbin/apache2ctl stop >/dev/null + start-stop-daemon -o --quiet --stop --pidfile ${PIDFILE} + eend $? +} + +reload() { + # restarting apache2 is much easier than apache1. The server handles most of the work for us. + # see http://httpd.apache.org/docs-2.0/stopping.html for more details + ebegin "Restarting apache2" + /usr/sbin/apache2 ${APACHE2_OPTS} -k ${RESTARTSTYLE} + eend $? +} diff --git a/testing/hosts/winnetou/etc/runlevels/default/net.eth0 b/testing/hosts/winnetou/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/winnetou/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 |