diff options
author | Miloslav Trmac <mitr@volny.cz> | 2006-07-08 21:44:31 +0000 |
---|---|---|
committer | Miloslav Trmac <mitr@volny.cz> | 2006-07-08 21:44:31 +0000 |
commit | 29fd49bc96ba9932b350324cd6652d9f942d6561 (patch) | |
tree | 99a9793c0b6455be4ab8c322392d67a803b265e9 /sysconfig/network-scripts | |
parent | 7be28bbb61b91fddf415e42dfe09bde94689b472 (diff) | |
download | initscripts-29fd49bc96ba9932b350324cd6652d9f942d6561.tar initscripts-29fd49bc96ba9932b350324cd6652d9f942d6561.tar.gz initscripts-29fd49bc96ba9932b350324cd6652d9f942d6561.tar.bz2 initscripts-29fd49bc96ba9932b350324cd6652d9f942d6561.tar.xz initscripts-29fd49bc96ba9932b350324cd6652d9f942d6561.zip |
Eliminate as much duplicated code as possible (part of #168972, based on a
patch by Aleksandar Milivojevic <alex@milivojevic.org>)
Avoid unnecessary differences between ifup-ipsec and ifdown-ipsec
Diffstat (limited to 'sysconfig/network-scripts')
-rwxr-xr-x | sysconfig/network-scripts/ifdown-ipsec | 44 | ||||
-rwxr-xr-x | sysconfig/network-scripts/ifup-ipsec | 142 |
2 files changed, 64 insertions, 122 deletions
diff --git a/sysconfig/network-scripts/ifdown-ipsec b/sysconfig/network-scripts/ifdown-ipsec index a960144f..7c7de7fa 100755 --- a/sysconfig/network-scripts/ifdown-ipsec +++ b/sysconfig/network-scripts/ifdown-ipsec @@ -8,16 +8,21 @@ CONFIG=$1 [ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} source_config +if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then + KEYING=manual +fi + + if [ -n "$IKE_PSK" ]; then KEYING=automatic IKE_METHOD=PSK fi - + if [ -n "$IKE_CERTFILE" ]; then KEYING=automatic IKE_METHOD=X509 fi - + if [ -n "$IKE_PEER_CERTFILE" ]; then KEYING=automatic IKE_METHOD=X509 @@ -43,42 +48,33 @@ if [ -n "$SRCNET" -o -n "$DSTNET" ]; then MODE=tunnel [ -z "$SRCNET" ] && SRCNET="$SRC/32" [ -z "$DSTNET" ] && DSTNET="$DST/32" + SPD_SRC=$SRCNET + SPD_DST=$DSTNET # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \ && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \ = "NETWORK=${DSTNET%%/*}" ]; then EXCLUDE_SRCNET=yes fi + [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"` + ip route del to $DSTNET via $SRCGW src $SRCGW else - MODE=host + MODE=transport + SPD_SRC=$SRC + SPD_DST=$DST + unset EXCLUDE_SRCNET fi -if [ "$KEYING" = "manual" ]; then - setkey -c << EOF +setkey -c << EOF ${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} ${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} ${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;} ${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;} +spddelete $SPD_SRC $SPD_DST any -P out; +spddelete $SPD_DST $SPD_SRC any -P in; +${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} +${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} EOF -fi - -if [ "$MODE" = "host" ]; then - setkey -c << EOF - spddelete $SRC $DST any -P out; - spddelete $DST $SRC any -P in; -EOF -else - [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"` - ip route del to $DSTNET via $SRCGW src $SRCGW - - /sbin/setkey -c >/dev/null 2>&1 << EOF - spddelete $SRCNET $DSTNET any -P out; - spddelete $DSTNET $SRCNET any -P in; - ${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;} - ${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;} -EOF -fi - if [ "$KEYING" = "automatic" ]; then racoontmp=`mktemp /etc/racoon/racoon.XXXXXX` diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec index ab055fe9..81101c06 100755 --- a/sysconfig/network-scripts/ifup-ipsec +++ b/sysconfig/network-scripts/ifup-ipsec @@ -99,142 +99,88 @@ if [ -n "$IKE_DNSSEC" ]; then IKE_METHOD=X509 fi +[ -n "$IKE_METHOD" ] && KEYING=automatic +[ -z "$KEYING" ] && KEYING=manual + if [ -z "$SRC" ]; then SRC=`ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|"` fi if [ -n "$SRCNET" -o -n "$DSTNET" ]; then + TUNNEL_MODE=yes MODE=tunnel [ -z "$SRCNET" ] && SRCNET="$SRC/32" [ -z "$DSTNET" ] && DSTNET="$DST/32" + SPD_SRC=$SRCNET + SPD_DST=$DSTNET # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \ && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \ = "NETWORK=${DSTNET%%/*}" ]; then EXCLUDE_SRCNET=yes fi + [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"` + ip route add to $DSTNET via $SRCGW src $SRCGW else - MODE=host + unset TUNNEL_MODE + MODE=transport + SPD_SRC=$SRC + SPD_DST=$DST + unset EXCLUDE_SRCNET fi -[ -n "$IKE_METHOD" ] && KEYING=automatic -[ -z "$KEYING" ] && KEYING=manual - - +unset SPD_AH_IN SPD_AH_OUT SPD_ESP_IN SPD_ESP_OUT if [ "$KEYING" = "manual" ]; then - [ -z "$AH_PROTO" ] && AH_PROTO=hmac-sha1 [ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc - - if [ "$MODE" = "host" ]; then - - /sbin/setkey -c >/dev/null 2>&1<< EOF -${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} -${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} -${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;} -${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;} -spddelete $SRC $DST any -P out; -spddelete $DST $SRC any -P in; - -# ESP -${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN;} -${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT;} -# AH -${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} -${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} + [ -n "$KEY_AH_IN" ] && SPD_AH_IN=yes + [ -n "$KEY_AH_OUT" ] && SPD_AH_OUT=yes + [ -n "$KEY_ESP_IN" ] && SPD_ESP_IN=yes + [ -n "$KEY_ESP_OUT" ] && SPD_ESP_OUT=yes +else + [ -z "$AH_PROTO" ] && AH_PROTO=sha1 + [ -z "$ESP_PROTO" ] && ESP_PROTO=3des -spdadd $SRC $DST any -P out ipsec - ${KEY_ESP_OUT:+esp/transport//require} - ${KEY_AH_OUT:+ah/transport//require} - ; - -spdadd $DST $SRC any -P in ipsec - ${KEY_ESP_IN:+esp/transport//require} - ${KEY_AH_IN:+ah/transport//require} - ; -EOF - else - [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"` - ip route add to $DSTNET via $SRCGW src $SRCGW + SPD_AH_IN=yes + SPD_AH_OUT=yes + SPD_ESP_IN=yes + SPD_ESP_OUT=yes +fi - /sbin/setkey -c >/dev/null 2>&1 << EOF +/sbin/setkey -c >/dev/null 2>&1 << EOF ${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} ${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} ${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;} ${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;} -spddelete $SRCNET $DSTNET any -P out; -spddelete $DSTNET $SRCNET any -P in; -${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;} -${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;} +spddelete $SPD_SRC $SPD_DST any -P out; +spddelete $SPD_DST $SPD_SRC any -P in; +${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} +${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} # ESP -${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -m tunnel -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN;} -${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -m tunnel -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT;} +${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN;} +${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT;} # AH -${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -m tunnel -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} -${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -m tunnel -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} +${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} +${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} -${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P out none;} -${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P in none;} +${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P out none;} +${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P in none;} -spdadd $SRCNET $DSTNET any -P out ipsec - ${KEY_ESP_OUT:+esp/tunnel/$SRC-$DST/require} - ${KEY_AH_OUT:+ah/tunnel/$SRC-$DST/require} - ; - -spdadd $DSTNET $SRCNET any -P in ipsec - ${KEY_ESP_IN:+esp/tunnel/$DST-$SRC/require} - ${KEY_AH_IN:+ah/tunnel/$DST-$SRC/require} +spdadd $SPD_SRC $SPD_DST any -P out ipsec + ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} + ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} ; -EOF - fi -fi - -if [ "$KEYING" = "automatic" ]; then - [ -z "$AH_PROTO" ] && AH_PROTO=sha1 - [ -z "$ESP_PROTO" ] && ESP_PROTO=3des - - if [ "$MODE" = "host" ]; then - /sbin/setkey -c > /dev/null 2>&1 << EOF -spddelete $SRC $DST any -P out; -spddelete $DST $SRC any -P in; -spdadd $SRC $DST any -P out ipsec - esp/transport//require - ah/transport//require - ; - -spdadd $DST $SRC any -P in ipsec - esp/transport//require - ah/transport//require +spdadd $SPD_DST $SPD_SRC any -P in ipsec + ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} + ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} ; EOF - else - [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"` - ip route add to $DSTNET via $SRCGW src $SRCGW - - /sbin/setkey -c >/dev/null 2>&1 << EOF -spddelete $SRCNET $DSTNET any -P out; -spddelete $DSTNET $SRCNET any -P in; -${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;} -${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;} -${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P out none;} -${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P in none;} - -spdadd $SRCNET $DSTNET any -P out ipsec - esp/tunnel/$SRC-$DST/require - ah/tunnel/$SRC-$DST/require - ; - -spdadd $DSTNET $SRCNET any -P in ipsec - esp/tunnel/$DST-$SRC/require - ah/tunnel/$DST-$SRC/require - ; -EOF - fi +if [ "$KEYING" = "automatic" ]; then if [ "$IKE_METHOD" = "PSK" ]; then tmpfile=`mktemp /etc/racoon/psk.XXXXXX` grep -v "^$DST" /etc/racoon/psk.txt > $tmpfile |