diff options
Diffstat (limited to 'ipsec-updown-ipmasq')
| -rwxr-xr-x | ipsec-updown-ipmasq | 198 |
1 files changed, 0 insertions, 198 deletions
diff --git a/ipsec-updown-ipmasq b/ipsec-updown-ipmasq deleted file mode 100755 index 53093a8..0000000 --- a/ipsec-updown-ipmasq +++ /dev/null @@ -1,198 +0,0 @@ -#! /bin/sh -# default updown script -# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - - -# This script is a derivative of the one by Hugh Redelmeier and Henry -# Spencer. It uses ipmasq as the firewallscript, and should be used -# together with some modifications to ipmasq. -# -# It is modified by Jonas Smedegaard <jonas@jones.dk>, and Juri Jensen -# <juri@xenux.dk>. -# -# Features: -# -# * Dynamic creation of firewall rules to RW connections -# * Setup of proper source address makes it possible to ping from the -# SGW itself to a remote subnet, without a separate tunnel. Remember -# to change the reference of a 10.0.x.x network below to the IP range -# you're using! -# -# RCSID $Id: ipsec-updown-ipmasq,v 1.3 2006-07-16 12:34:00 jonas Exp $ - - -# CAUTION: Installing a new version of FreeS/WAN will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# FreeS/WAN use yours instead of this default one. - - - -# check interface version -case "$PLUTO_VERSION" in -1.[0]) # Older Pluto?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add -} -downroute() { - doroute del -} -doroute() { - parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" - parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # horrible kludge for obscure routing bug with opportunistic - it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&" - it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2" - route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 && - route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2 - ;; - *) it="route $1 $parms $parms2" - route $1 $parms $parms2 - ;; - esac - st=$? - src="`ifconfig | egrep "^[[:space:]]*inet addr:10\.0\." | cut -f2 -d: | cut -f1 -d' ' | head -n 1`" - if test "$src" ; then - ip ro ls | egrep "^10\.0\..* dev ipsec" | egrep -v " src " | - while read ; do - ip ro change $REPLY src $src - done - fi - if test $st -ne 0 - then - # route has already given its own cryptic message - echo "$0: \`$it' failed" >&2 - if test " $1 $st" = " add 7" - then - # another totally undocumented interface -- 7 and - # "SIOCADDRT: Network is unreachable" means that - # the gateway isn't reachable. - echo "$0: (incorrect or missing nexthop setting??)" >&2 - fi - fi - return $st -} - - - -# the big choice -case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # horrible kludge for obscure routing bug with opportunistic - parms1="-net 0.0.0.0 netmask 128.0.0.0" - parms2="-net 128.0.0.0 netmask 128.0.0.0" - it="route del $parms1 2>&1 ; route del $parms2 2>&1" - oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`" - ;; - *) - parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" - it="route del $parms 2>&1" - oops="`route del $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - 'SIOCDELRT: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; -up-host:*) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - /usr/sbin/ipmasq - ;; -down-host:*) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - /usr/sbin/ipmasq - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - /usr/sbin/ipmasq - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - /usr/sbin/ipmasq - ;; -up-client:ipfwadm) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ - -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK - ;; -down-client:ipfwadm) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ - -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac |