aboutsummaryrefslogtreecommitdiffstats
path: root/sysconfig/network-scripts/ifup-ipsec
diff options
context:
space:
mode:
authorMiloslav Trmac <mitr@volny.cz>2006-07-08 21:44:31 +0000
committerMiloslav Trmac <mitr@volny.cz>2006-07-08 21:44:31 +0000
commit29fd49bc96ba9932b350324cd6652d9f942d6561 (patch)
tree99a9793c0b6455be4ab8c322392d67a803b265e9 /sysconfig/network-scripts/ifup-ipsec
parent7be28bbb61b91fddf415e42dfe09bde94689b472 (diff)
downloadinitscripts-29fd49bc96ba9932b350324cd6652d9f942d6561.tar
initscripts-29fd49bc96ba9932b350324cd6652d9f942d6561.tar.gz
initscripts-29fd49bc96ba9932b350324cd6652d9f942d6561.tar.bz2
initscripts-29fd49bc96ba9932b350324cd6652d9f942d6561.tar.xz
initscripts-29fd49bc96ba9932b350324cd6652d9f942d6561.zip
Eliminate as much duplicated code as possible (part of #168972, based on a
patch by Aleksandar Milivojevic <alex@milivojevic.org>) Avoid unnecessary differences between ifup-ipsec and ifdown-ipsec
Diffstat (limited to 'sysconfig/network-scripts/ifup-ipsec')
-rwxr-xr-xsysconfig/network-scripts/ifup-ipsec142
1 files changed, 44 insertions, 98 deletions
diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
index ab055fe9..81101c06 100755
--- a/sysconfig/network-scripts/ifup-ipsec
+++ b/sysconfig/network-scripts/ifup-ipsec
@@ -99,142 +99,88 @@ if [ -n "$IKE_DNSSEC" ]; then
IKE_METHOD=X509
fi
+[ -n "$IKE_METHOD" ] && KEYING=automatic
+[ -z "$KEYING" ] && KEYING=manual
+
if [ -z "$SRC" ]; then
SRC=`ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|"`
fi
if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
+ TUNNEL_MODE=yes
MODE=tunnel
[ -z "$SRCNET" ] && SRCNET="$SRC/32"
[ -z "$DSTNET" ] && DSTNET="$DST/32"
+ SPD_SRC=$SRCNET
+ SPD_DST=$DSTNET
# If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication
if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \
&& [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \
= "NETWORK=${DSTNET%%/*}" ]; then
EXCLUDE_SRCNET=yes
fi
+ [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
+ ip route add to $DSTNET via $SRCGW src $SRCGW
else
- MODE=host
+ unset TUNNEL_MODE
+ MODE=transport
+ SPD_SRC=$SRC
+ SPD_DST=$DST
+ unset EXCLUDE_SRCNET
fi
-[ -n "$IKE_METHOD" ] && KEYING=automatic
-[ -z "$KEYING" ] && KEYING=manual
-
-
+unset SPD_AH_IN SPD_AH_OUT SPD_ESP_IN SPD_ESP_OUT
if [ "$KEYING" = "manual" ]; then
-
[ -z "$AH_PROTO" ] && AH_PROTO=hmac-sha1
[ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc
-
- if [ "$MODE" = "host" ]; then
-
- /sbin/setkey -c >/dev/null 2>&1<< EOF
-${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;}
-${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;}
-${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;}
-${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;}
-spddelete $SRC $DST any -P out;
-spddelete $DST $SRC any -P in;
-
-# ESP
-${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN;}
-${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT;}
-# AH
-${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;}
-${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;}
+ [ -n "$KEY_AH_IN" ] && SPD_AH_IN=yes
+ [ -n "$KEY_AH_OUT" ] && SPD_AH_OUT=yes
+ [ -n "$KEY_ESP_IN" ] && SPD_ESP_IN=yes
+ [ -n "$KEY_ESP_OUT" ] && SPD_ESP_OUT=yes
+else
+ [ -z "$AH_PROTO" ] && AH_PROTO=sha1
+ [ -z "$ESP_PROTO" ] && ESP_PROTO=3des
-spdadd $SRC $DST any -P out ipsec
- ${KEY_ESP_OUT:+esp/transport//require}
- ${KEY_AH_OUT:+ah/transport//require}
- ;
-
-spdadd $DST $SRC any -P in ipsec
- ${KEY_ESP_IN:+esp/transport//require}
- ${KEY_AH_IN:+ah/transport//require}
- ;
-EOF
- else
- [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
- ip route add to $DSTNET via $SRCGW src $SRCGW
+ SPD_AH_IN=yes
+ SPD_AH_OUT=yes
+ SPD_ESP_IN=yes
+ SPD_ESP_OUT=yes
+fi
- /sbin/setkey -c >/dev/null 2>&1 << EOF
+/sbin/setkey -c >/dev/null 2>&1 << EOF
${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;}
${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;}
${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;}
${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;}
-spddelete $SRCNET $DSTNET any -P out;
-spddelete $DSTNET $SRCNET any -P in;
-${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;}
-${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;}
+spddelete $SPD_SRC $SPD_DST any -P out;
+spddelete $SPD_DST $SPD_SRC any -P in;
+${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;}
+${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;}
# ESP
-${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -m tunnel -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN;}
-${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -m tunnel -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT;}
+${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN;}
+${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT;}
# AH
-${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -m tunnel -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;}
-${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -m tunnel -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;}
+${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;}
+${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;}
-${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P out none;}
-${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P in none;}
+${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P out none;}
+${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P in none;}
-spdadd $SRCNET $DSTNET any -P out ipsec
- ${KEY_ESP_OUT:+esp/tunnel/$SRC-$DST/require}
- ${KEY_AH_OUT:+ah/tunnel/$SRC-$DST/require}
- ;
-
-spdadd $DSTNET $SRCNET any -P in ipsec
- ${KEY_ESP_IN:+esp/tunnel/$DST-$SRC/require}
- ${KEY_AH_IN:+ah/tunnel/$DST-$SRC/require}
+spdadd $SPD_SRC $SPD_DST any -P out ipsec
+ ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require}
+ ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require}
;
-EOF
- fi
-fi
-
-if [ "$KEYING" = "automatic" ]; then
- [ -z "$AH_PROTO" ] && AH_PROTO=sha1
- [ -z "$ESP_PROTO" ] && ESP_PROTO=3des
-
- if [ "$MODE" = "host" ]; then
- /sbin/setkey -c > /dev/null 2>&1 << EOF
-spddelete $SRC $DST any -P out;
-spddelete $DST $SRC any -P in;
-spdadd $SRC $DST any -P out ipsec
- esp/transport//require
- ah/transport//require
- ;
-
-spdadd $DST $SRC any -P in ipsec
- esp/transport//require
- ah/transport//require
+spdadd $SPD_DST $SPD_SRC any -P in ipsec
+ ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require}
+ ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require}
;
EOF
- else
- [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
- ip route add to $DSTNET via $SRCGW src $SRCGW
-
- /sbin/setkey -c >/dev/null 2>&1 << EOF
-spddelete $SRCNET $DSTNET any -P out;
-spddelete $DSTNET $SRCNET any -P in;
-${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;}
-${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;}
-${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P out none;}
-${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P in none;}
-
-spdadd $SRCNET $DSTNET any -P out ipsec
- esp/tunnel/$SRC-$DST/require
- ah/tunnel/$SRC-$DST/require
- ;
-
-spdadd $DSTNET $SRCNET any -P in ipsec
- esp/tunnel/$DST-$SRC/require
- ah/tunnel/$DST-$SRC/require
- ;
-EOF
- fi
+if [ "$KEYING" = "automatic" ]; then
if [ "$IKE_METHOD" = "PSK" ]; then
tmpfile=`mktemp /etc/racoon/psk.XXXXXX`
grep -v "^$DST" /etc/racoon/psk.txt > $tmpfile