[people/ms/network.git] / src / hooks / zones / ip-tunnel

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2010  Michael Tremer & Christian Schmidt                      #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

. /usr/lib/network/header-zone

SUPPORTED_IP_TUNNEL_MODES="gre sit vti"

HOOK_SETTINGS=(
	"MARK"
	"MODE"
	"MTU"
	"PEER"
	"LOCAL_ADDRESS"
)

# Default mode of the tunnel
DEFAULT_MODE="gre"

# Default MTU
DEFAULT_MTU="1480"

hook_check_settings() {
	assert isset MODE && assert isoneof MODE ${SUPPORTED_IP_TUNNEL_MODES}

	assert isset PEER && assert ip_is_valid "${PEER}"

	# LOCAL_ADDRESS must be valid and match the protocol of PEER
	if isset LOCAL_ADDRESS; then
		assert ip_is_valid "${LOCAL_ADDRESS}"
		assert ip_protocol_match "${PEER}" "${LOCAL_ADDRESS}"
	fi

	# Generate a random mark
	if ! isset MARK; then
		MARK="$(( ${RANDOM} & 0xffffffff ))"
	fi
}

hook_parse_cmdline() {
	while [ $# -gt 0 ]; do
		case "${1}" in
			--local-address=*)
				LOCAL_ADDRESS="$(cli_get_val "${1}")"
				;;

			--mode=*)
				MODE="$(cli_get_val "${1}")"

				# MODE must be on the list of supported protocols
				if ! isoneof MODE ${SUPPORTED_IP_TUNNEL_MODES}; then
					error "Unsupported mode: ${mode}"
					return ${EXIT_ERROR}
				fi
				;;

			--mtu=*)
				MTU="$(cli_get_val "${1}")"

				# Validate MTU
				if ! mtu_is_valid "ipv6" "${MTU}"; then
					error "Invalid MTU: ${MTU}"
					return ${EXIT_ERROR}
				fi
				;;

			--peer=*)
				PEER="$(cli_get_val "${1}")"
				;;

			*)
				error "Unknown option: ${1}"
				exit ${EXIT_ERROR}
				;;
		esac
		shift
	done

	# If PEER is set, it must be a valid IP address
	if isset PEER && ! ip_is_valid "${PEER}"; then
		error "Peer ${PEER} is not a valid IP address"
		return ${EXIT_ERROR}
	fi

	# If LOCAL_ADDRESS is set, it must be a valid IP address
	# of the same protocol than PEER is
	if isset LOCAL_ADDRESS; then
		if ! ip_is_valid "${LOCAL_ADDRESS}"; then
			error "Local address ${LOCAL_ADDRESS} is not a valid IP address"
			return ${EXIT_ERROR}
		fi

		if ! ip_protocol_match "${PEER}" "${LOCAL_ADDRESS}"; then
			error "Peer and local address are of different IP protocols"
			return ${EXIT_ERROR}
		fi
	fi

	return ${EXIT_OK}
}

hook_up() {
	local zone=${1}
	assert isset zone

	# Read configuration
	if ! zone_settings_read "${zone}"; then
		log ERROR "Could not read settings from ${zone}"
		exit ${EXIT_ERROR}
	fi

	# Create device if it doesn't exist, yet
	if ! device_exists "${zone}"; then
		ip_tunnel_add "${zone}" \
			--mode="${MODE}" \
			--mtu="${MTU}" \
			--remote-address="${PEER}" \
			--local-address="${LOCAL_ADDRESS}" \
			--ikey="${MARK}" \
			--okey="${MARK}"
	fi

	# Bring up the device
	device_set_up "${zone}"

	# Bring up all configurations
	zone_configs_up "${zone}"

	exit ${EXIT_OK}
}

hook_down() {
	local zone="${1}"
	assert isset zone

	# Stop all the configs.
	zone_configs_down "${zone}"

	# Remove the tunnel device
	ip_tunnel_del "${zone}" || exit $?

	exit ${EXIT_OK}
}

hook_status() {
	local zone=${1}
	assert isset zone

	cli_device_headline "${zone}"

	# Read configuration
	if ! zone_settings_read "${zone}"; then
		error "Could not read settings from ${zone}"
		exit ${EXIT_ERROR}
	fi

	cli_print_fmt1 1 "Mode" "$(ip_tunnel_protocol_to_name "${MODE}")"

	if isset PEER || isset LOCAL_ADDRESS; then
		if isset PEER; then
			cli_print_fmt1 1 "Peer" "${PEER}"
		fi

		if isset LOCAL_ADDRESS; then
			cli_print_fmt1 1 "Local Address" "${LOCAL_ADDRESS}"
		fi
	fi
	cli_space

	cli_headline 2 "Configurations"
	zone_configs_cmd status "${zone}"
	cli_space

	exit ${EXIT_OK}
}
Commit	Line	Data
85de251d MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2010 Michael Tremer & Christian Schmidt #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	. /usr/lib/network/header-zone
	23
55dcff45	24	SUPPORTED_IP_TUNNEL_MODES="gre sit vti"
85de251d	25
d389e96b MT	26	HOOK_SETTINGS=(
	27	"MARK"
	28	"MODE"
9515b039	29	"MTU"
d389e96b MT	30	"PEER"
	31	"LOCAL_ADDRESS"
	32	)
85de251d MT	33
85de251d MT	34	# Default mode of the tunnel
53e764a7	35	DEFAULT_MODE="gre"
85de251d	36
9515b039 MT	37	# Default MTU
	38	DEFAULT_MTU="1480"
	39
85de251d MT	40	hook_check_settings() {
	41	assert isset MODE && assert isoneof MODE ${SUPPORTED_IP_TUNNEL_MODES}
	42
	43	assert isset PEER && assert ip_is_valid "${PEER}"
	44
	45	# LOCAL_ADDRESS must be valid and match the protocol of PEER
	46	if isset LOCAL_ADDRESS; then
	47	assert ip_is_valid "${LOCAL_ADDRESS}"
	48	assert ip_protocol_match "${PEER}" "${LOCAL_ADDRESS}"
	49	fi
2cab7afb MT	50
	51	# Generate a random mark
	52	if ! isset MARK; then
	53	MARK="$(( ${RANDOM} & 0xffffffff ))"
	54	fi
85de251d MT	55	}
	56
	57	hook_parse_cmdline() {
	58	while [ $# -gt 0 ]; do
	59	case "${1}" in
	60	--local-address=*)
	61	LOCAL_ADDRESS="$(cli_get_val "${1}")"
	62	;;
	63
	64	--mode=*)
	65	MODE="$(cli_get_val "${1}")"
	66
	67	# MODE must be on the list of supported protocols
	68	if ! isoneof MODE ${SUPPORTED_IP_TUNNEL_MODES}; then
	69	error "Unsupported mode: ${mode}"
	70	return ${EXIT_ERROR}
	71	fi
	72	;;
	73
9515b039 MT	74	--mtu=*)
	75	MTU="$(cli_get_val "${1}")"
	76
	77	# Validate MTU
	78	if ! mtu_is_valid "ipv6" "${MTU}"; then
	79	error "Invalid MTU: ${MTU}"
	80	return ${EXIT_ERROR}
	81	fi
	82	;;
	83
85de251d MT	84	--peer=*)
	85	PEER="$(cli_get_val "${1}")"
	86	;;
	87
	88	*)
	89	error "Unknown option: ${1}"
	90	exit ${EXIT_ERROR}
	91	;;
	92	esac
	93	shift
	94	done
	95
bfaa4f61 MT	96	# If PEER is set, it must be a valid IP address
bfaa4f61 MT	97	if isset PEER && ! ip_is_valid "${PEER}"; then
85de251d MT	98	error "Peer ${PEER} is not a valid IP address"
	99	return ${EXIT_ERROR}
	100	fi
	101
	102	# If LOCAL_ADDRESS is set, it must be a valid IP address
	103	# of the same protocol than PEER is
	104	if isset LOCAL_ADDRESS; then
	105	if ! ip_is_valid "${LOCAL_ADDRESS}"; then
	106	error "Local address ${LOCAL_ADDRESS} is not a valid IP address"
	107	return ${EXIT_ERROR}
	108	fi
	109
	110	if ! ip_protocol_match "${PEER}" "${LOCAL_ADDRESS}"; then
	111	error "Peer and local address are of different IP protocols"
	112	return ${EXIT_ERROR}
	113	fi
	114	fi
	115
	116	return ${EXIT_OK}
	117	}
	118
	119	hook_up() {
	120	local zone=${1}
	121	assert isset zone
	122
	123	# Read configuration
	124	if ! zone_settings_read "${zone}"; then
	125	log ERROR "Could not read settings from ${zone}"
	126	exit ${EXIT_ERROR}
	127	fi
	128
	129	# Create device if it doesn't exist, yet
	130	if ! device_exists "${zone}"; then
	131	ip_tunnel_add "${zone}" \
	132	--mode="${MODE}" \
9515b039	133	--mtu="${MTU}" \
85de251d	134	--remote-address="${PEER}" \
2cab7afb MT	135	--local-address="${LOCAL_ADDRESS}" \
	136	--ikey="${MARK}" \
	137	--okey="${MARK}"
85de251d MT	138	fi
	139
	140	# Bring up the device
	141	device_set_up "${zone}"
	142
	143	# Bring up all configurations
	144	zone_configs_up "${zone}"
	145
	146	exit ${EXIT_OK}
	147	}
	148
	149	hook_down() {
	150	local zone="${1}"
	151	assert isset zone
	152
	153	# Stop all the configs.
	154	zone_configs_down "${zone}"
	155
	156	# Remove the tunnel device
	157	ip_tunnel_del "${zone}" \|\| exit $?
	158
	159	exit ${EXIT_OK}
	160	}
	161
	162	hook_status() {
	163	local zone=${1}
	164	assert isset zone
	165
	166	cli_device_headline "${zone}"
	167
	168	# Read configuration
	169	if ! zone_settings_read "${zone}"; then
	170	error "Could not read settings from ${zone}"
	171	exit ${EXIT_ERROR}
	172	fi
	173
bfaa4f61 MT	174	cli_print_fmt1 1 "Mode" "$(ip_tunnel_protocol_to_name "${MODE}")"
	175
	176	if isset PEER \|\| isset LOCAL_ADDRESS; then
	177	if isset PEER; then
	178	cli_print_fmt1 1 "Peer" "${PEER}"
	179	fi
	180
	181	if isset LOCAL_ADDRESS; then
	182	cli_print_fmt1 1 "Local Address" "${LOCAL_ADDRESS}"
	183	fi
85de251d MT	184	fi
	185	cli_space
	186
	187	cli_headline 2 "Configurations"
	188	zone_configs_cmd status "${zone}"
	189	cli_space
	190
	191	exit ${EXIT_OK}
	192	}