summaryrefslogtreecommitdiff
path: root/ipsec-updown-ipmasq
blob: 53093a8668fac8b2aea133436f6523c9c889c98a (plain) 
    

  1. #! /bin/sh
    2. 

  2. # default updown script
    3. 

  3. # Copyright (C) 2000, 2001  D. Hugh Redelmeier, Henry Spencer
    4. 

  4. # 
    5. 

  5. # This program is free software; you can redistribute it and/or modify it
    6. 

  6. # under the terms of the GNU General Public License as published by the
    7. 

  7. # Free Software Foundation; either version 2 of the License, or (at your
    8. 

  8. # option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
    9. 

  9. # 
    10. 

  10. # This program is distributed in the hope that it will be useful, but
    11. 

  11. # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
    12. 

  12. # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
    13. 

  13. # for more details.
    14. 

  14. 

  15. 

  16. # This script is a derivative of the one by Hugh Redelmeier and Henry
    17. 

  17. # Spencer. It uses ipmasq as the firewallscript, and should be used 
    18. 

  18. # together with some modifications to ipmasq.
    19. 

  19. #
    20. 

  20. # It is modified by Jonas Smedegaard <jonas@jones.dk>, and Juri Jensen
    21. 

  21. # <juri@xenux.dk>.
    22. 

  22. # 
    23. 

  23. # Features:
    24. 

  24. #
    25. 

  25. # * Dynamic creation of firewall rules to RW connections
    26. 

  26. # * Setup of proper source address makes it possible to ping from the
    27. 

  27. #   SGW itself to a remote subnet, without a separate tunnel. Remember
    28. 

  28. #   to change the reference of a 10.0.x.x network below to the IP range
    29. 

  29. #   you're using!
    30. 

  30. #
    31. 

  31. # RCSID $Id: ipsec-updown-ipmasq,v 1.3 2006-07-16 12:34:00 jonas Exp $
    32. 

  32. 

  33. 

  34. # CAUTION:  Installing a new version of FreeS/WAN will install a new
    35. 

  35. # copy of this script, wiping out any custom changes you make.  If
    36. 

  36. # you need changes, make a copy of this under another name, and customize
    37. 

  37. # that, and use the (left/right)updown parameters in ipsec.conf to make
    38. 

  38. # FreeS/WAN use yours instead of this default one.
    39. 

  39. 

  40. 

  41. 

  42. # check interface version
    43. 

  43. case "$PLUTO_VERSION" in
    44. 

  44. 1.[0])  # Older Pluto?!?  Play it safe, script may be using new features.
    45. 

  45.     echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
    46. 

  46.     echo "$0:   called by obsolete Pluto?" >&2
    47. 

  47.     exit 2
    48. 

  48.     ;;
    49. 

  49. 1.*)    ;;
    50. 

  50. *)  echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
    51. 

  51.     exit 2
    52. 

  52.     ;;
    53. 

  53. esac
    54. 

  54. 

  55. # check parameter(s)
    56. 

  56. case "$1:$*" in
    57. 

  57. ':')            # no parameters
    58. 

  58.     ;;
    59. 

  59. ipfwadm:ipfwadm)    # due to (left/right)firewall; for default script only
    60. 

  60.     ;;
    61. 

  61. custom:*)       # custom parameters (see above CAUTION comment)
    62. 

  62.     ;;
    63. 

  63. *)  echo "$0: unknown parameters \`$*'" >&2
    64. 

  64.     exit 2
    65. 

  65.     ;;
    66. 

  66. esac
    67. 

  67. 

  68. # utility functions for route manipulation
    69. 

  69. # Meddling with this stuff should not be necessary and requires great care.
    70. 

  70. uproute() {
    71. 

  71.     doroute add
    72. 

  72. }
    73. 

  73. downroute() {
    74. 

  74.     doroute del
    75. 

  75. }
    76. 

  76. doroute() {
    77. 

  77.     parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
    78. 

  78.     parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
    79. 

  79.     case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
    80. 

  80.     "0.0.0.0/0.0.0.0")
    81. 

  81.         # horrible kludge for obscure routing bug with opportunistic
    82. 

  82.         it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
    83. 

  83.         it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
    84. 

  84.         route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
    85. 

  85.             route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
    86. 

  86.         ;;
    87. 

  87.     *)  it="route $1 $parms $parms2"
    88. 

  88.         route $1 $parms $parms2
    89. 

  89.         ;;
    90. 

  90.     esac
    91. 

  91.     st=$?
    92. 

  92.     src="`ifconfig | egrep "^[[:space:]]*inet addr:10\.0\." | cut -f2 -d: | cut -f1 -d' ' | head -n 1`"
    93. 

  93.     if test "$src" ; then
    94. 

  94.         ip ro ls | egrep "^10\.0\..* dev ipsec" | egrep -v " src " |
    95. 

  95.             while read ; do
    96. 

  96.                 ip ro change $REPLY src $src
    97. 

  97.             done
    98. 

  98.     fi
    99. 

  99.     if test $st -ne 0
    100. 

  100.     then
    101. 

  101.         # route has already given its own cryptic message
    102. 

  102.         echo "$0: \`$it' failed" >&2
    103. 

  103.         if test " $1 $st" = " add 7"
    104. 

  104.         then
    105. 

  105.             # another totally undocumented interface -- 7 and
    106. 

  106.             # "SIOCADDRT: Network is unreachable" means that
    107. 

  107.             # the gateway isn't reachable.
    108. 

  108.             echo "$0: (incorrect or missing nexthop setting??)" >&2
    109. 

  109.         fi
    110. 

  110.     fi
    111. 

  111.     return $st
    112. 

  112. }
    113. 

  113. 

  114. 

  115. 

  116. # the big choice
    117. 

  117. case "$PLUTO_VERB:$1" in
    118. 

  118. prepare-host:*|prepare-client:*)
    119. 

  119.     # delete possibly-existing route (preliminary to adding a route)
    120. 

  120.     case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
    121. 

  121.     "0.0.0.0/0.0.0.0")
    122. 

  122.         # horrible kludge for obscure routing bug with opportunistic
    123. 

  123.         parms1="-net 0.0.0.0 netmask 128.0.0.0"
    124. 

  124.         parms2="-net 128.0.0.0 netmask 128.0.0.0"
    125. 

  125.         it="route del $parms1 2>&1 ; route del $parms2 2>&1"
    126. 

  126.         oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
    127. 

  127.         ;;
    128. 

  128.     *)
    129. 

  129.         parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
    130. 

  130.         it="route del $parms 2>&1"
    131. 

  131.         oops="`route del $parms 2>&1`"
    132. 

  132.         ;;
    133. 

  133.     esac
    134. 

  134.     status="$?"
    135. 

  135.     if test " $oops" = " " -a " $status" != " 0"
    136. 

  136.     then
    137. 

  137.         oops="silent error, exit status $status"
    138. 

  138.     fi
    139. 

  139.     case "$oops" in
    140. 

  140.     'SIOCDELRT: No such process'*)
    141. 

  141.         # This is what route (currently -- not documented!) gives
    142. 

  142.         # for "could not find such a route".
    143. 

  143.         oops=
    144. 

  144.         status=0
    145. 

  145.         ;;
    146. 

  146.     esac
    147. 

  147.     if test " $oops" != " " -o " $status" != " 0"
    148. 

  148.     then
    149. 

  149.         echo "$0: \`$it' failed ($oops)" >&2
    150. 

  150.     fi
    151. 

  151.     exit $status
    152. 

  152.     ;;
    153. 

  153. route-host:*|route-client:*)
    154. 

  154.     # connection to me or my client subnet being routed
    155. 

  155.     uproute
    156. 

  156.     ;;
    157. 

  157. unroute-host:*|unroute-client:*)
    158. 

  158.     # connection to me or my client subnet being unrouted
    159. 

  159.     downroute
    160. 

  160.     ;;
    161. 

  161. up-host:*)
    162. 

  162.     # connection to me coming up
    163. 

  163.     # If you are doing a custom version, firewall commands go here.
    164. 

  164.     /usr/sbin/ipmasq
    165. 

  165.     ;;
    166. 

  166. down-host:*)
    167. 

  167.     # connection to me going down
    168. 

  168.     # If you are doing a custom version, firewall commands go here.
    169. 

  169.     /usr/sbin/ipmasq
    170. 

  170.     ;;
    171. 

  171. up-client:)
    172. 

  172.     # connection to my client subnet coming up
    173. 

  173.     # If you are doing a custom version, firewall commands go here.
    174. 

  174.     /usr/sbin/ipmasq
    175. 

  175.     ;;
    176. 

  176. down-client:)
    177. 

  177.     # connection to my client subnet going down
    178. 

  178.     # If you are doing a custom version, firewall commands go here.
    179. 

  179.     /usr/sbin/ipmasq
    180. 

  180.     ;;
    181. 

  181. up-client:ipfwadm)
    182. 

  182.     # connection to client subnet, with (left/right)firewall=yes, coming up
    183. 

  183.     # This is used only by the default updown script, not by your custom
    184. 

  184.     # ones, so do not mess with it; see CAUTION comment up at top.
    185. 

  185.     ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
    186. 

  186.         -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
    187. 

  187.     ;;
    188. 

  188. down-client:ipfwadm)
    189. 

  189.     # connection to client subnet, with (left/right)firewall=yes, going down
    190. 

  190.     # This is used only by the default updown script, not by your custom
    191. 

  191.     # ones, so do not mess with it; see CAUTION comment up at top.
    192. 

  192.     ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
    193. 

  193.         -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
    194. 

  194.     ;;
    195. 

  195. *)  echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
    196. 

  196.     exit 1
    197. 

  197.     ;;
    198. 

  198. esac
    199.
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-05 10:25:54 +0000