From 7ac9ad9d783052294664a2c11cce5e70ff277ef6 Mon Sep 17 00:00:00 2001 From: Juri Jensen Date: Thu, 30 May 2002 20:52:38 +0000 Subject: Added ipsec-updown-ipmasq. --- ipsec-updown-ipmasq | 176 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 176 insertions(+) create mode 100755 ipsec-updown-ipmasq (limited to 'ipsec-updown-ipmasq') diff --git a/ipsec-updown-ipmasq b/ipsec-updown-ipmasq new file mode 100755 index 0000000..ae77c9e --- /dev/null +++ b/ipsec-updown-ipmasq @@ -0,0 +1,176 @@ +#! /bin/sh +# default updown script +# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: ipsec-updown-ipmasq,v 1.1 2002-05-30 20:52:38 jrisch Exp $ + + + +# CAUTION: Installing a new version of FreeS/WAN will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# FreeS/WAN use yours instead of this default one. + + + +# check interface version +case "$PLUTO_VERSION" in +1.[0]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add +} +downroute() { + doroute del +} +doroute() { + parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" + parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP" + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # horrible kludge for obscure routing bug with opportunistic + it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&" + it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2" + route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 && + route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2 + ;; + *) it="route $1 $parms $parms2" + route $1 $parms $parms2 + ;; + esac + st=$? + if test $st -ne 0 + then + # route has already given its own cryptic message + echo "$0: \`$it' failed" >&2 + if test " $1 $st" = " add 7" + then + # another totally undocumented interface -- 7 and + # "SIOCADDRT: Network is unreachable" means that + # the gateway isn't reachable. + echo "$0: (incorrect or missing nexthop setting??)" >&2 + fi + fi + return $st +} + + + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # horrible kludge for obscure routing bug with opportunistic + parms1="-net 0.0.0.0 netmask 128.0.0.0" + parms2="-net 128.0.0.0 netmask 128.0.0.0" + it="route del $parms1 2>&1 ; route del $parms2 2>&1" + oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`" + ;; + *) + parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" + it="route del $parms 2>&1" + oops="`route del $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + 'SIOCDELRT: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:*) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + /usr/sbin/ipmasq + ;; +down-host:*) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + /usr/sbin/ipmasq + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + /usr/sbin/ipmasq + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + /usr/sbin/ipmasq + ;; +up-client:ipfwadm) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ + -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK + ;; +down-client:ipfwadm) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ + -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac -- cgit v1.2.3