#! /bin/sh # default updown script # Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See . # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # This script is a derivative of the one by Hugh Redelmeier and Henry # Spencer. It uses ipmasq as the firewallscript, and should be used # together with some modifications to ipmasq. # # It is modified by Jonas Smedegaard , and Juri Jensen # . # # Features: # # * Dynamic creation of firewall rules to RW connections # * Setup of proper source address makes it possible to ping from the # SGW itself to a remote subnet, without a separate tunnel. Remember # to change the reference of a 10.0.x.x network below to the IP range # you're using! # # RCSID $Id: ipsec-updown-ipmasq,v 1.3 2006-07-16 12:34:00 jonas Exp $ # CAUTION: Installing a new version of FreeS/WAN will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # FreeS/WAN use yours instead of this default one. # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add } downroute() { doroute del } doroute() { parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&" it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2" route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 && route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2 ;; *) it="route $1 $parms $parms2" route $1 $parms $parms2 ;; esac st=$? src="`ifconfig | egrep "^[[:space:]]*inet addr:10\.0\." | cut -f2 -d: | cut -f1 -d' ' | head -n 1`" if test "$src" ; then ip ro ls | egrep "^10\.0\..* dev ipsec" | egrep -v " src " | while read ; do ip ro change $REPLY src $src done fi if test $st -ne 0 then # route has already given its own cryptic message echo "$0: \`$it' failed" >&2 if test " $1 $st" = " add 7" then # another totally undocumented interface -- 7 and # "SIOCADDRT: Network is unreachable" means that # the gateway isn't reachable. echo "$0: (incorrect or missing nexthop setting??)" >&2 fi fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic parms1="-net 0.0.0.0 netmask 128.0.0.0" parms2="-net 128.0.0.0 netmask 128.0.0.0" it="route del $parms1 2>&1 ; route del $parms2 2>&1" oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`" ;; *) parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" it="route del $parms 2>&1" oops="`route del $parms 2>&1`" ;; esac status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in 'SIOCDELRT: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. /usr/sbin/ipmasq ;; down-host:*) # connection to me going down # If you are doing a custom version, firewall commands go here. /usr/sbin/ipmasq ;; up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. /usr/sbin/ipmasq ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. /usr/sbin/ipmasq ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac