From aa0f5b38aec14428b4b80e06f90ff781f8bca5f1 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Mon, 22 May 2006 05:12:18 +0000
Subject: Import initial strongswan 2.7.0 version into SVN.

---
 programs/_realsetup/_realsetup.in | 456 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 456 insertions(+)
 create mode 100755 programs/_realsetup/_realsetup.in

(limited to 'programs/_realsetup/_realsetup.in')

diff --git a/programs/_realsetup/_realsetup.in b/programs/_realsetup/_realsetup.in
new file mode 100755
index 000000000..91b6e98d3
--- /dev/null
+++ b/programs/_realsetup/_realsetup.in
@@ -0,0 +1,456 @@
+#!/bin/sh
+# IPsec startup and shutdown command
+# Copyright (C) 1998, 1999, 2001  Henry Spencer.
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: _realsetup.in,v 1.10 2005/09/25 21:30:52 as Exp $
+
+IPSEC_NAME=strongSwan
+
+me='ipsec setup'		# for messages
+
+# Misc. paths (some of this should perhaps be overrideable from ipsec.conf).
+plutopid=/var/run/pluto.pid
+subsyslock=/var/lock/subsys/ipsec
+lock=/var/run/ipsec_setup.pid
+info=/var/run/ipsec.info
+sysflags=/proc/sys/net/ipsec
+modules=/proc/modules
+ipforward=/proc/sys/net/ipv4/ip_forward
+ipsecversion=/proc/net/ipsec_version
+kamepfkey=/proc/net/pfkey
+
+# make sure output of (e.g.) ifconfig is in English
+unset LANG LANGUAGE LC_ALL LC_MESSAGES
+
+# check we were called properly
+if test " $IPSEC_confreadsection" != " setup"
+then
+	echo "$me: $0 must be called by ipsec_setup" >&2
+	exit 1
+fi
+# defaults for "config setup" items
+
+IPSECinterfaces=${IPSECinterfaces:-%defaultroute}
+	if test " $IPSECinterfaces" = " %none" ; then IPSECinterfaces= ; fi
+# IPSECforwardcontrol	"no"
+# IPSECsyslog	"daemon.error"
+# IPSECklipsdebug	"none"
+# IPSECplutodebug	"none"
+# IPSECdumpdir	"" (no dump)
+# IPSECmanualstart	""
+# IPSECpluto	"yes"
+IPSECplutowait=${IPSECplutowait:-no}
+# IPSECprepluto	""
+# IPSECpostpluto	""
+# IPSECfragicmp	"yes"
+# IPSEChidetos	"yes"
+IPSECrp_filter=${IPSECrp_filter:-0}
+IPSECuniqueids=${IPSECuniqueids:-yes}
+IPSECcrlcheckinterval=${IPSECcrlcheckinterval:-0}
+# IPSECpkcs11module	""
+# IPSECoverridemtu	""
+
+# Shall we trace?
+execute="true"
+display="false"
+for i in $IPSEC_setupflags
+do
+	case "$i" in
+	"--showonly")	execute="false" ; display=true ;;
+	"--show")	display=true ;;
+	esac
+done
+
+if $display
+then
+	echo "	" PATH="$PATH"
+fi
+
+perform() {
+	if $display
+	then
+		echo "	" "$*"
+	fi
+
+	if $execute
+	then
+		eval "$*"
+	fi
+}
+
+# function to set up manually-keyed connections
+manualconns() {
+	if test " $IPSECmanualstart" != " "
+	then
+		for tu in $IPSECmanualstart
+		do
+			perform ipsec manual --up $tu
+		done
+	fi
+
+	# search for things to "ipsec manual --up": auto == "manual"
+	eval `ipsec _confread --varprefix MANUALSTART --search auto manual`
+	if test " $MANUALSTART_confreadstatus" != " "
+	then
+		echo "auto=manual search: $MANUALSTART_confreadstatus"
+		echo "unable to determine what conns to manual --up; none done"
+	elif test " $MANUALSTART_confreadnames" != " "
+	then
+		for tu in $MANUALSTART_confreadnames
+		do
+			perform ipsec manual --up $tu
+		done
+	fi
+}
+
+# for no-stdout logging:
+LOGONLY="logger -p $IPSECsyslog -t ipsec_setup"
+
+# What an ugly string.
+# Must be a string, not a function, because it is nested
+# within another sequence (for plutorun).
+# Luckily there are NO substitutions in it.
+KILLKLIPS='ifl=` ifconfig | sed -n -e "/^ipsec/s/ .*//p" ` ;
+	test "X$ifl" != "X" &&
+	for i in  $ifl ;
+	do
+		ifconfig $i down ;
+		ipsec tncfg --detach --virtual $i ;
+	done ;
+	test -r /proc/net/ipsec_klipsdebug && ipsec klipsdebug --none ;
+	ipsec eroute --clear ;
+	ipsec spi --clear ;
+	for alg in aes serpent twofish blowfish sha2 ;
+	do
+		lsmod 2>&1 | grep "^ipsec_$alg" > /dev/null && rmmod ipsec_$alg ;
+	done ;
+	lsmod 2>&1 | grep "^ipsec" > /dev/null && rmmod ipsec'
+
+if test -f $kamepfkey
+then
+	KILLKLIPS='
+		if ip xfrm state > /dev/null 2>&1 ;
+		then
+			ip xfrm state flush ;
+			ip xfrm policy flush ;
+		elif type setkey > /dev/null 2>&1 ;
+		then
+			setkey -F ;
+			setkey -FP ;
+		fi'
+fi
+
+
+
+# do it
+case "$1" in
+  start|--start|_autostart)
+	# First, does it seem to be going already?
+	perform test ! -f $lock "||" "{" \
+		echo "\"$IPSEC_NAME IPsec apparently already running, start aborted\"" ";" \
+		exit 1 ";" \
+		"}"
+
+	# announcement
+	# (Warning, changes to this log message may affect barf.)
+	version="`ipsec --version | awk 'NR == 1 { print $(3) }' | sed -e 's/^U\(.*\)\/K(.*/\1/'`"
+	case "$1" in
+	start|--start)	perform echo "\"Starting $IPSEC_NAME IPsec $version...\""	;;
+	_autostart)	perform echo "\"Restarting $IPSEC_NAME IPsec $version...\""	;;
+	esac
+
+	# preliminaries
+	perform rm -f $lock
+
+	for f in /dev/random /dev/urandom
+	do
+		perform test -r $f "||" "{" \
+			echo "\"...unable to start $IPSEC_NAME IPsec, no $f!\"" ";" \
+			exit 1 ";" \
+			"}"
+	    done
+
+	# the meaning of $$ at a different runtime is questionable!
+	perform echo '$$' ">" $lock
+	perform test -s $lock "||" "{" \
+		echo "\"...unable to create $lock, aborting start!\"" ";" \
+		rm -f $lock ";" \
+		exit 1 ";" \
+		"}"
+
+	perform ">" $info
+
+	# here we go
+	perform ipsec _startklips \
+			--info $info \
+			--debug "\"$IPSECklipsdebug\"" \
+			--omtu "\"$IPSECoverridemtu\"" \
+			--fragicmp "\"$IPSECfragicmp\"" \
+			--hidetos "\"$IPSEChidetos\"" \
+			--rpfilter "\"$IPSECrp_filter\"" \
+			--log "\"$IPSECsyslog\"" \
+			$IPSECinterfaces "||" \
+		"{" rm -f $lock ";" exit 1 ";" "}"
+
+	perform test -f $ipsecversion "||" \
+		test -f $kamepfkey "||" "{" \
+		echo "\"OOPS, should have aborted!  Broken shell!\"" ";" \
+		exit 1 ";" \
+		"}"
+
+	# misc pre-Pluto setup
+
+	perform test -d `dirname $subsyslock` "&&" touch $subsyslock
+
+	if test " $IPSECforwardcontrol" = " yes"
+	then
+		perform grep '"^0"' $ipforward ">" /dev/null "&&" "{" \
+			echo "\"enabling IP forwarding:\"" "|" $LOGONLY ";" \
+			echo "\"ipforwardingwas=$fw\"" ">>" $info ";" \
+			echo 1 ">" $ipforward ";" \
+			"}"
+	fi
+	manualconns
+
+	plutorestartoncrash=""
+	case "$IPSECplutorestartoncrash" in
+	    true|[yY]|yes|restart) plutorestartoncrash="--plutorestartoncrash true";;
+	    false|[nN]|no|die) plutorestartoncrash="--plutorestartoncrash false" ;;
+        esac
+
+	# Pluto
+	case "$1" in
+	start|--start)	re=	;;
+	_autostart)	re=--re	;;
+	esac
+	if test " $IPSECpluto" != " no"
+	then
+		perform ipsec _plutorun $re \
+			--debug "\"$IPSECplutodebug\"" \
+			--uniqueids "\"$IPSECuniqueids\"" \
+			--nocrsend "\"$IPSECnocrsend\"" \
+			--strictcrlpolicy "\"$IPSECstrictcrlpolicy\"" \
+			--cachecrls "\"$IPSECcachecrls\"" \
+			--nat_traversal "\"$IPSECnat_traversal\"" \
+			--keep_alive "\"$IPSECkeep_alive\"" \
+			--force_keepalive "\"$IPSECforce_keepalive\"" \
+			--disable_port_floating "\"$IPSECdisable_port_floating\"" \
+			--virtual_private "\"$IPSECvirtual_private\"" \
+			--crlcheckinterval "\"$IPSECcrlcheckinterval\"" \
+			--pkcs11module "\"$IPSECpkcs11module\"" \
+			--pkcs11keepstate "\"$IPSECpkcs11keepstate\"" \
+			--pkcs11proxy "\"$IPSECpkcs11proxy\"" \
+			--dump "\"$IPSECdumpdir\"" \
+			--opts "\"$IPSECplutoopts\"" \
+			--stderrlog "\"$IPSECplutostderrlog\"" \
+			--wait "\"$IPSECplutowait\"" \
+			--pre "\"$IPSECprepluto\"" \
+			--post "\"$IPSECpostpluto\"" \
+			--log "\"$IPSECsyslog\"" $plutorestartoncrash \
+			--pid "\"$plutopid\"" "||" "{" \
+		    $KILLKLIPS ";" \
+		    rm -f $lock ";" \
+		    exit 1 ";" \
+		    "}"
+	fi
+
+	# done!
+	perform echo "\"...$IPSEC_NAME IPsec started\"" "|" $LOGONLY
+	;;
+
+  stop|--stop|_autostop)		# _autostop is same as stop
+	# Shut things down.
+	perform echo "\"Stopping $IPSEC_NAME IPsec...\""
+	perform \
+		if test -r $lock ";" \
+		then \
+			status=0 ";" \
+			. $info ";" \
+		else \
+			echo "\"stop ordered, but IPsec does not appear to be running!\"" ";" \
+			echo "\"doing cleanup anyway...\"" ";" \
+			status=1 ";" \
+		fi
+	if test " $IPSECforwardcontrol" = " yes"
+	then
+		perform test "\"X\$ipforwardingwas\"" = "\"X0\"" "&&" "{" \
+			echo "\"disabling IP forwarding:\"" "|" $LOGONLY ";" \
+			echo 0 ">" $ipforward ";" \
+			"}"
+	fi
+
+	perform test -f $plutopid "&&" "{" \
+		if ps -p '`' cat $plutopid '`' ">" /dev/null ";" \
+		then \
+			ipsec whack --shutdown "|" grep -v "^002" ";" \
+			sleep 1 ";" \
+			if test -s $plutopid ";" \
+			then \
+				echo "\"Attempt to shut Pluto down failed!  Trying kill:\"" ";" \
+				kill '`' cat $plutopid '`' ";" \
+				sleep 5 ";" \
+			fi ";" \
+		else \
+			echo "\"Removing orphaned $plutopid:\"" ";" \
+		fi ";" \
+		rm -f $plutopid ";" \
+		"}"
+
+	perform $KILLKLIPS
+
+	perform test -d `dirname $subsyslock` "&&" rm -f $subsyslock
+
+	perform rm -f $info $lock
+	perform echo "...$IPSEC_NAME IPsec stopped" "|" $LOGONLY
+	perform exit \$status
+	;;
+
+  status|--status)
+	if test " $IPSEC_setupflags" != " "
+	then
+		echo "$me $1 does not support $IPSEC_setupflags"
+		exit 1
+	fi
+
+	if test -f $info
+	then
+		hasinfo=yes
+	fi
+
+	if test -f $lock
+	then
+		haslock=yes
+	fi
+
+	if test -f $subsyslock
+	then
+		hassublock=yes
+	fi
+
+	if test -s $plutopid
+	then
+		if ps -p `cat $plutopid` >/dev/null
+		then
+			plutokind=normal
+		elif ps -C pluto >/dev/null
+		then
+			plutokind=illicit
+		fi
+	elif ps -C pluto >/dev/null
+	then
+		plutokind=orphaned
+	else
+		plutokind=no
+	fi
+
+	if test -r /proc/net/ipsec_eroute
+	then
+		if test " `wc -l </proc/net/ipsec_eroute`" -gt 0
+		then
+			eroutes=yes
+		fi
+	fi
+
+	if test -r $ipsecversion
+	then
+		klips=yes
+	elif test -r $modules
+	then
+		klips=maybe
+	else
+		klips=none
+	fi
+		
+	if test "$haslock"
+	then
+		echo "IPsec running"
+		# might not be a subsystem lock dir, ignore that issue
+		if test "$plutokind" = "normal" -a "$klips" = "yes" -a "$hasinfo"
+		then
+			echo "pluto pid `cat $plutopid`"
+			exit 0
+		fi
+		echo "but..."
+		if test "$plutokind" != "normal"
+		then
+			echo "$plutokind Pluto running!"
+		fi
+		if test ! "$hasinfo"
+		then
+			echo "$info file missing!"
+		fi
+		case $klips in
+		maybe)	echo "KLIPS module is not loaded!"	;;
+		none)	echo "no KLIPS in kernel!"		;;
+		esac
+		if test "$eroutes"
+		then
+			echo "some eroutes exist"
+		fi
+		exit 1
+	else
+		echo "IPsec stopped"
+		if test ! "$hassublock" -a ! "$hasinfo" -a "$plutokind" = "no" \
+								-a ! "$eroutes"
+		then
+			exit 0
+		fi
+		echo "but..."
+		if test "$hassublock"
+		then
+			echo "has subsystem lock ($subsyslock)!"
+		fi
+		if test "$hasinfo"
+		then
+			echo "has $info file!"
+		fi
+		if test "$plutokind" != "normal"
+		then
+			echo "$plutokind Pluto is running!"
+		fi
+		if test "$eroutes"
+		then
+			echo "some eroutes exist!"
+		fi
+		exit 1
+	fi
+	;;
+
+  --version)
+	if test " $IPSEC_setupflags" != " "
+	then
+		echo "$me $1 does not support $IPSEC_setupflags"
+		exit 1
+	fi
+
+	echo "$me $IPSEC_VERSION"
+	exit 0
+	;;
+
+  --help)
+	if test " $IPSEC_setupflags" != " "
+	then
+		echo "$me $1 does not support $IPSEC_setupflags"
+		exit 1
+	fi
+
+	echo "Usage: $me {--start|--stop|--restart|--status}"
+	exit 0
+	;;
+
+  *)
+	echo "Usage: $me {--start|--stop|--restart|--status}" >&2
+	exit 2
+esac
+
+exit 0
-- 
cgit v1.2.3