Added ipsec-updown-ipmasq.

1 files changed, 176 insertions, 0 deletions

diff --git a/ipsec-updown-ipmasq b/ipsec-updown-ipmasq
new file mode 100755
index 0000000..ae77c9e
--- /dev/null
+++ b/ipsec-updown-ipmasq
@@ -0,0 +1,176 @@
+#! /bin/sh
+# default updown script
+# Copyright (C) 2000, 2001  D. Hugh Redelmeier, Henry Spencer
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: ipsec-updown-ipmasq,v 1.1 2002-05-30 20:52:38 jrisch Exp $
+
+
+
+# CAUTION:  Installing a new version of FreeS/WAN will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# FreeS/WAN use yours instead of this default one.
+
+
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+ipfwadm:ipfwadm)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+}
+downroute() {
+	doroute del
+}
+doroute() {
+	parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
+	parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# horrible kludge for obscure routing bug with opportunistic
+		it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
+		it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
+		route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
+			route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
+		;;
+	*)	it="route $1 $parms $parms2"
+		route $1 $parms $parms2
+		;;
+	esac
+	st=$?
+	if test $st -ne 0
+	then
+		# route has already given its own cryptic message
+		echo "$0: \`$it' failed" >&2
+		if test " $1 $st" = " add 7"
+		then
+			# another totally undocumented interface -- 7 and
+			# "SIOCADDRT: Network is unreachable" means that
+			# the gateway isn't reachable.
+			echo "$0: (incorrect or missing nexthop setting??)" >&2
+		fi
+	fi
+	return $st
+}
+
+
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# horrible kludge for obscure routing bug with opportunistic
+		parms1="-net 0.0.0.0 netmask 128.0.0.0"
+		parms2="-net 128.0.0.0 netmask 128.0.0.0"
+		it="route del $parms1 2>&1 ; route del $parms2 2>&1"
+		oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
+		;;
+	*)
+		parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
+		it="route del $parms 2>&1"
+		oops="`route del $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	'SIOCDELRT: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:*)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	/usr/sbin/ipmasq
+	;;
+down-host:*)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	/usr/sbin/ipmasq
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	/usr/sbin/ipmasq
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	/usr/sbin/ipmasq
+	;;
+up-client:ipfwadm)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
+		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
+	;;
+down-client:ipfwadm)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
+		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac