path: root/ipsec-updown-ipmasq

#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001  D. Hugh Redelmeier, Henry Spencer
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: ipsec-updown-ipmasq,v 1.1 2002-05-30 20:52:38 jrisch Exp $



# CAUTION:  Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make.  If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.



# check interface version
case "$PLUTO_VERSION" in
1.[0])  # Older Pluto?!?  Play it safe, script may be using new features.
    echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
    echo "$0:   called by obsolete Pluto?" >&2
    exit 2
    ;;
1.*)    ;;
*)  echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
    exit 2
    ;;
esac

# check parameter(s)
case "$1:$*" in
':')            # no parameters
    ;;
ipfwadm:ipfwadm)    # due to (left/right)firewall; for default script only
    ;;
custom:*)       # custom parameters (see above CAUTION comment)
    ;;
*)  echo "$0: unknown parameters \`$*'" >&2
    exit 2
    ;;
esac

# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
    doroute add
}
downroute() {
    doroute del
}
doroute() {
    parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
    parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
    case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
    "0.0.0.0/0.0.0.0")
        # horrible kludge for obscure routing bug with opportunistic
        it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
        it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
        route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
            route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
        ;;
    *)  it="route $1 $parms $parms2"
        route $1 $parms $parms2
        ;;
    esac
    st=$?
    if test $st -ne 0
    then
        # route has already given its own cryptic message
        echo "$0: \`$it' failed" >&2
        if test " $1 $st" = " add 7"
        then
            # another totally undocumented interface -- 7 and
            # "SIOCADDRT: Network is unreachable" means that
            # the gateway isn't reachable.
            echo "$0: (incorrect or missing nexthop setting??)" >&2
        fi
    fi
    return $st
}



# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
    # delete possibly-existing route (preliminary to adding a route)
    case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
    "0.0.0.0/0.0.0.0")
        # horrible kludge for obscure routing bug with opportunistic
        parms1="-net 0.0.0.0 netmask 128.0.0.0"
        parms2="-net 128.0.0.0 netmask 128.0.0.0"
        it="route del $parms1 2>&1 ; route del $parms2 2>&1"
        oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
        ;;
    *)
        parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
        it="route del $parms 2>&1"
        oops="`route del $parms 2>&1`"
        ;;
    esac
    status="$?"
    if test " $oops" = " " -a " $status" != " 0"
    then
        oops="silent error, exit status $status"
    fi
    case "$oops" in
    'SIOCDELRT: No such process'*)
        # This is what route (currently -- not documented!) gives
        # for "could not find such a route".
        oops=
        status=0
        ;;
    esac
    if test " $oops" != " " -o " $status" != " 0"
    then
        echo "$0: \`$it' failed ($oops)" >&2
    fi
    exit $status
    ;;
route-host:*|route-client:*)
    # connection to me or my client subnet being routed
    uproute
    ;;
unroute-host:*|unroute-client:*)
    # connection to me or my client subnet being unrouted
    downroute
    ;;
up-host:*)
    # connection to me coming up
    # If you are doing a custom version, firewall commands go here.
    /usr/sbin/ipmasq
    ;;
down-host:*)
    # connection to me going down
    # If you are doing a custom version, firewall commands go here.
    /usr/sbin/ipmasq
    ;;
up-client:)
    # connection to my client subnet coming up
    # If you are doing a custom version, firewall commands go here.
    /usr/sbin/ipmasq
    ;;
down-client:)
    # connection to my client subnet going down
    # If you are doing a custom version, firewall commands go here.
    /usr/sbin/ipmasq
    ;;
up-client:ipfwadm)
    # connection to client subnet, with (left/right)firewall=yes, coming up
    # This is used only by the default updown script, not by your custom
    # ones, so do not mess with it; see CAUTION comment up at top.
    ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
        -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
    ;;
down-client:ipfwadm)
    # connection to client subnet, with (left/right)firewall=yes, going down
    # This is used only by the default updown script, not by your custom
    # ones, so do not mess with it; see CAUTION comment up at top.
    ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
        -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
    ;;
*)  echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
    exit 1
    ;;
esac