[network.git] / src / functions / functions.ip-tunnel

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012-2013  IPFire Network Development Team                    #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

IP_TUNNEL_MODES="gre sit vti"

# This function converts our modes into the type
# the iproute2 tool uses
ip_tunnel_convert_mode_to_iproute2_mode() {
	local mode=${1}
	local protocol=${2}

	if ! isset mode || ! isset protocol; then
		log ERROR "Did not get mode and/or protocol"
		return ${EXIT_ERROR}
	fi

	if [[ "${protocol}" = "ipv4" ]]; then
		# When we use IPv4 we can use our modes
		echo "${mode}"
	fi

	if [[ "${protocol}" = "ipv6" ]]; then
		# When we use IPv6 we have to convert
		case "${mode}" in
			"vti")
				echo "vti6"
				;;
			"gre")
				echo "ip6gre"
		esac
	fi
}

ip_tunnel_add() {
	local device=${1}
	shift

	local mode
	local ttl

	local remote_address
	local local_address

	local ikey
	local okey

	while [ $# -gt 0 ]; do
		case "${1}" in
			--mode=*)
				mode="$(cli_get_val "${1}")"
				;;
			--ttl=*)
				ttl="$(cli_get_val "${1}")"
				;;
			--remote-address=*)
				remote_address="$(cli_get_val "${1}")"
				;;
			--local-address=*)
				local_address="$(cli_get_val "${1}")"
				;;

			# Keys for VTI
			--ikey=*)
				ikey="$(cli_get_val "${1}")"
				;;
			--okey=*)
				okey="$(cli_get_val "${1}")"
				;;
		esac
		shift
	done

	if ! isset mode; then
		error "--mode= is not set. Must be one of ${IP_TUNNEL_MODES}"
		return ${EXIT_ERROR}
	fi

	if ! isoneof mode ${IP_TUNNEL_MODES}; then
		error "Invalid mode: ${mode}"
		return ${EXIT_ERROR}
	fi

	# Detect the IP protocol, which is important to decide which mode we have to use
	local remote_address_protocol="$(ip_detect_protocol "${remote_address}")"

	# If we could not detect the IP protocol something with
	# ${remote_address} is wrong
	if ! isset remote_address_protocol; then
		log ERROR "Could not determine remote address IP protocol"
		return ${EXIT_ERROR}
	fi

	# We cannot mix IPv6 and IPv4
	if [[ "${remote_address_protocol}" != \
		"$(ip_detect_protocol "${local_address}")" ]] ; then
		log ERROR "Local and remote address\
			are not from the same IP protocol"
		return ${EXIT_ERROR}
	fi

	# ikey and okey must be set for VTI devices
	if [ "${mode}" = "vti" ] && (! isset ikey || ! isset okey); then
		error "--ikey= and --okey= must be set for VTI device"
		return ${EXIT_ERROR}
	fi

	# If TTL is set, make sure it is an integer.
	if isset ttl && ! isinteger ttl; then
		error "TTL must be an integer: ${ttl}"
		return ${EXIT_ERROR}
	fi

	local cmd_args

	# Apply TTL if a value has been set.
	if isset ttl; then
		cmd_args="${cmd_args} ttl ${ttl}"
	fi

	# Apply local address if a value has been set.
	if isset local_address; then
		cmd_args="${cmd_args} local ${local_address}"
	fi

	# Apply remote address if a value has been set.
	if isset remote_address; then
		cmd_args="${cmd_args} remote ${remote_address}"
	fi

	# Add ikey and okey for VTI devices
	if [ "${mode}" = "vti" ]; then
		cmd_args="${cmd_args} ikey ${ikey} okey ${okey}"
	fi

	# Determine the mode based on the IP protocol
	mode=$(ip_tunnel_convert_mode_to_iproute2_mode "${mode}" "${remote_address_protocol}")

	log DEBUG "Creating tunnel device '${device}' (mode=${mode})..."

	# Create the device.
	if ! cmd ip link add name ${device} type ${mode} ${cmd_args}; then
		error "Could not create tunnel device ${device}"
		return ${EXIT_ERROR}
	fi

	# Disable policy lookups for VTI devices
	if [ "${mode}" = "vti" ]; then
		sysctl_set "net.ipv4.conf.${device}.disable_policy" "1"
	fi

	return ${EXIT_OK}
}

ip_tunnel_del() {
	device_delete "$@"
}

ip_tunnel_change_keys() {
	local device="${1}"
	shift

	if ! isset device; then
		error "No device given"
		return ${EXIT_ERROR}
	fi

	local ikey
	local okey

	while [ $# -gt 0 ]; do
		case "${1}" in
			--ikey=*)
				ikey="$(cli_get_val ${1})"
				;;
			--okey=*)
				okey="$(cli_get_val ${1})"
				;;
			*)
				error "Invalid argument: ${1}"
				return ${EXIT_ERROR}
				;;
		esac
		shift
	done

	if ! isset ikey || ! isset okey; then
		error "You need to set --ikey= and --okey="
		return ${EXIT_ERROR}
	fi

	if ! device_exists "${device}"; then
		error "No such device: ${device}"
		return ${EXIT_ERROR}
	fi

	# Determine the device type
	local type="$(device_tunnel_get_type ${device})"

	if ! isoneof "type" vti vti6; then
		log ERROR "Device type '${type}' is invalid"
		return ${EXIT_ERROR}
	fi

	if ! cmd ip link change dev "${device}" \
		type "${type}" ikey "${ikey}" okey "${okey}"; then
		log ERROR "Could not change keys of device ${device}"
		return ${EXIT_ERROR}
	fi

	return ${EXIT_OK}
}
Commit	Line	Data
cccb3a4b MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
9390b61b	5	# Copyright (C) 2012-2013 IPFire Network Development Team #
cccb3a4b MT	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
91c8cce9	22	IP_TUNNEL_MODES="gre sit vti"
cccb3a4b	23
376629dc JS	24	# This function converts our modes into the type
	25	# the iproute2 tool uses
	26	ip_tunnel_convert_mode_to_iproute2_mode() {
	27	local mode=${1}
	28	local protocol=${2}
	29
	30	if ! isset mode \|\| ! isset protocol; then
	31	log ERROR "Did not get mode and/or protocol"
	32	return ${EXIT_ERROR}
	33	fi
	34
	35	if [[ "${protocol}" = "ipv4" ]]; then
	36	# When we use IPv4 we can use our modes
	37	echo "${mode}"
	38	fi
	39
	40	if [[ "${protocol}" = "ipv6" ]]; then
	41	# When we use IPv6 we have to convert
	42	case "${mode}" in
	43	"vti")
	44	echo "vti6"
	45	;;
	46	"gre")
	47	echo "ip6gre"
	48	esac
	49	fi
	50	}
	51
1c6a4e30	52	ip_tunnel_add() {
cccb3a4b MT	53	local device=${1}
	54	shift
	55
1a02da59	56	local mode
cccb3a4b MT	57	local ttl
	58
	59	local remote_address
	60	local local_address
	61
1a02da59 MT	62	local ikey
	63	local okey
	64
cccb3a4b MT	65	while [ $# -gt 0 ]; do
	66	case "${1}" in
	67	--mode=*)
2212045f	68	mode="$(cli_get_val "${1}")"
cccb3a4b MT	69	;;
cccb3a4b MT	70	--ttl=*)
2212045f	71	ttl="$(cli_get_val "${1}")"
cccb3a4b	72	;;
cccb3a4b	73	--remote-address=*)
2212045f	74	remote_address="$(cli_get_val "${1}")"
cccb3a4b MT	75	;;
cccb3a4b MT	76	--local-address=*)
2212045f	77	local_address="$(cli_get_val "${1}")"
cccb3a4b	78	;;
1a02da59 MT	79
	80	# Keys for VTI
	81	--ikey=*)
2212045f	82	ikey="$(cli_get_val "${1}")"
1a02da59 MT	83	;;
1a02da59 MT	84	--okey=*)
2212045f	85	okey="$(cli_get_val "${1}")"
1a02da59	86	;;
cccb3a4b MT	87	esac
	88	shift
	89	done
	90
1a02da59 MT	91	if ! isset mode; then
	92	error "--mode= is not set. Must be one of ${IP_TUNNEL_MODES}"
	93	return ${EXIT_ERROR}
	94	fi
	95
	96	if ! isoneof mode ${IP_TUNNEL_MODES}; then
	97	error "Invalid mode: ${mode}"
	98	return ${EXIT_ERROR}
	99	fi
	100
5bbd1fab JS	101	# Detect the IP protocol, which is important to decide which mode we have to use
	102	local remote_address_protocol="$(ip_detect_protocol "${remote_address}")"
	103
	104	# If we could not detect the IP protocol something with
	105	# ${remote_address} is wrong
	106	if ! isset remote_address_protocol; then
	107	log ERROR "Could not determine remote address IP protocol"
	108	return ${EXIT_ERROR}
	109	fi
	110
	111	# We cannot mix IPv6 and IPv4
	112	if [[ "${remote_address_protocol}" != \
	113	"$(ip_detect_protocol "${local_address}")" ]] ; then
	114	log ERROR "Local and remote address\
	115	are not from the same IP protocol"
	116	return ${EXIT_ERROR}
	117	fi
	118
1a02da59 MT	119	# ikey and okey must be set for VTI devices
	120	if [ "${mode}" = "vti" ] && (! isset ikey \|\| ! isset okey); then
	121	error "--ikey= and --okey= must be set for VTI device"
	122	return ${EXIT_ERROR}
	123	fi
cccb3a4b MT	124
cccb3a4b MT	125	# If TTL is set, make sure it is an integer.
1a02da59 MT	126	if isset ttl && ! isinteger ttl; then
	127	error "TTL must be an integer: ${ttl}"
	128	return ${EXIT_ERROR}
	129	fi
cccb3a4b	130
cccb3a4b MT	131	local cmd_args
	132
	133	# Apply TTL if a value has been set.
	134	if isset ttl; then
	135	cmd_args="${cmd_args} ttl ${ttl}"
	136	fi
	137
eec68f19 MT	138	# Apply local address if a value has been set.
	139	if isset local_address; then
	140	cmd_args="${cmd_args} local ${local_address}"
	141	fi
	142
9390b61b SS	143	# Apply remote address if a value has been set.
	144	if isset remote_address; then
	145	cmd_args="${cmd_args} remote ${remote_address}"
	146	fi
	147
1a02da59 MT	148	# Add ikey and okey for VTI devices
	149	if [ "${mode}" = "vti" ]; then
	150	cmd_args="${cmd_args} ikey ${ikey} okey ${okey}"
	151	fi
	152
dff38496 JS	153	# Determine the mode based on the IP protocol
	154	mode=$(ip_tunnel_convert_mode_to_iproute2_mode "${mode}" "${remote_address_protocol}")
	155
cccb3a4b MT	156	log DEBUG "Creating tunnel device '${device}' (mode=${mode})..."
	157
	158	# Create the device.
d7357cc3	159	if ! cmd ip link add name ${device} type ${mode} ${cmd_args}; then
1a02da59 MT	160	error "Could not create tunnel device ${device}"
	161	return ${EXIT_ERROR}
	162	fi
ea1857e3 MT	163
	164	# Disable policy lookups for VTI devices
	165	if [ "${mode}" = "vti" ]; then
	166	sysctl_set "net.ipv4.conf.${device}.disable_policy" "1"
	167	fi
	168
	169	return ${EXIT_OK}
cccb3a4b MT	170	}
cccb3a4b MT	171
1c6a4e30	172	ip_tunnel_del() {
21e8d1aa	173	device_delete "$@"
cccb3a4b	174	}
82fac748 MT	175
	176	ip_tunnel_change_keys() {
	177	local device="${1}"
	178	shift
	179
	180	if ! isset device; then
	181	error "No device given"
	182	return ${EXIT_ERROR}
	183	fi
	184
	185	local ikey
	186	local okey
	187
	188	while [ $# -gt 0 ]; do
	189	case "${1}" in
	190	--ikey=*)
	191	ikey="$(cli_get_val ${1})"
	192	;;
	193	--okey=*)
	194	okey="$(cli_get_val ${1})"
	195	;;
	196	*)
	197	error "Invalid argument: ${1}"
	198	return ${EXIT_ERROR}
	199	;;
	200	esac
	201	shift
	202	done
	203
	204	if ! isset ikey \|\| ! isset okey; then
	205	error "You need to set --ikey= and --okey="
	206	return ${EXIT_ERROR}
	207	fi
	208
	209	if ! device_exists "${device}"; then
	210	error "No such device: ${device}"
	211	return ${EXIT_ERROR}
	212	fi
	213
dff38496 JS	214	# Determine the device type
	215	local type="$(device_tunnel_get_type ${device})"
	216
	217	if ! isoneof "type" vti vti6; then
	218	log ERROR "Device type '${type}' is invalid"
	219	return ${EXIT_ERROR}
	220	fi
	221
82fac748	222	if ! cmd ip link change dev "${device}" \
dff38496	223	type "${type}" ikey "${ikey}" okey "${okey}"; then
82fac748 MT	224	log ERROR "Could not change keys of device ${device}"
	225	return ${EXIT_ERROR}
	226	fi
	227
	228	return ${EXIT_OK}
	229	}