]>
Commit | Line | Data |
---|---|---|
997358a6 MW |
1 | /* strongSwan KLIPS starter |
2 | * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security | |
3 | * | |
4 | * This program is free software; you can redistribute it and/or modify it | |
5 | * under the terms of the GNU General Public License as published by the | |
6 | * Free Software Foundation; either version 2 of the License, or (at your | |
7 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
8 | * | |
9 | * This program is distributed in the hope that it will be useful, but | |
10 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
11 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
12 | * for more details. | |
13 | * | |
14 | * RCSID $Id: klips.c,v 1.8 2006/02/15 18:33:57 as Exp $ | |
15 | */ | |
16 | ||
17 | #include <sys/types.h> | |
18 | #include <sys/stat.h> | |
19 | #include <stdlib.h> | |
20 | #include <string.h> | |
21 | ||
22 | #include <freeswan.h> | |
23 | ||
24 | #include "../pluto/constants.h" | |
25 | #include "../pluto/defs.h" | |
26 | #include "../pluto/log.h" | |
27 | ||
28 | #include "confread.h" | |
29 | #include "klips.h" | |
30 | #include "files.h" | |
31 | #include "exec.h" | |
32 | ||
33 | static int _klips_module_loaded = 0; | |
34 | ||
35 | bool | |
36 | starter_klips_init(void) | |
37 | { | |
38 | struct stat stb; | |
39 | ||
40 | if (stat(PROC_IPSECVERSION, &stb) != 0) | |
41 | { | |
42 | if (stat(PROC_MODULES, &stb) == 0) | |
43 | { | |
44 | unsetenv("MODPATH"); | |
45 | unsetenv("MODULECONF"); | |
46 | system("depmod -a >/dev/null 2>&1"); | |
47 | system("modprobe -qv ipsec"); | |
48 | } | |
49 | if (stat(PROC_IPSECVERSION, &stb) == 0) | |
50 | { | |
51 | _klips_module_loaded = 1; | |
52 | } | |
53 | else | |
54 | { | |
55 | DBG(DBG_CONTROL, | |
56 | DBG_log("kernel appears to lack KLIPS") | |
57 | ) | |
58 | return FALSE; | |
59 | } | |
60 | } | |
61 | ||
62 | /* make sure that all available crypto algorithms are loaded */ | |
63 | if (stat(PROC_MODULES, &stb) == 0) | |
64 | { | |
65 | system("modprobe -qv ipsec_aes"); | |
66 | system("modprobe -qv ipsec_serpent"); | |
67 | system("modprobe -qv ipsec_twofish"); | |
68 | system("modprobe -qv ipsec_blowfish"); | |
69 | system("modprobe -qv ipsec_sha2"); | |
70 | } | |
71 | ||
72 | starter_klips_clear(); | |
73 | ||
74 | DBG(DBG_CONTROL, | |
75 | DBG_log("Found KLIPS IPsec stack") | |
76 | ) | |
77 | return TRUE; | |
78 | } | |
79 | ||
80 | static void | |
81 | _sysflags (char *name, int value) | |
82 | { | |
83 | int res = starter_exec("echo %d >%s/%s 2>/dev/null" | |
84 | , value? 1 : 0, PROC_SYSFLAGS, name); | |
85 | ||
86 | if (res) | |
87 | plog("can't set sysflag %s to %d", name, value? 1 : 0); | |
88 | } | |
89 | ||
90 | void | |
91 | starter_klips_set_config(starter_config_t *cfg) | |
92 | { | |
93 | char **l; | |
94 | ||
95 | _sysflags("icmp", cfg->setup.fragicmp); | |
96 | _sysflags("inbound_policy_check", 1); | |
97 | /* _sysflags("no_eroute_pass", 0); */ | |
98 | /* _sysflags("opportunistic", 0); */ | |
99 | _sysflags("tos", cfg->setup.hidetos); | |
100 | ||
101 | starter_exec("%s/klipsdebug --none", IPSEC_EXECDIR); | |
102 | for (l = cfg->setup.klipsdebug; l && *l; l++) | |
103 | { | |
104 | if ((streq(*l, "none")) || (streq(*l, "all"))) | |
105 | starter_exec("%s/klipsdebug --%s", IPSEC_EXECDIR, *l); | |
106 | else | |
107 | starter_exec("%s/klipsdebug --set %s", IPSEC_EXECDIR, *l); | |
108 | } | |
109 | ||
110 | starter_exec("%s/eroute --del --eraf inet --src 0/0 --dst 0/0 2>/dev/null" | |
111 | , IPSEC_EXECDIR); | |
112 | starter_exec("%s/eroute --label packetdefault --replace --eraf inet " | |
113 | "--src 0/0 --dst 0/0 --said %%%s", IPSEC_EXECDIR | |
114 | , cfg->setup.packetdefault ? cfg->setup.packetdefault : "drop"); | |
115 | } | |
116 | ||
117 | void | |
118 | starter_klips_clear(void) | |
119 | { | |
120 | system(IPSEC_EXECDIR"/eroute --clear"); | |
121 | system(IPSEC_EXECDIR"/spi --clear"); | |
122 | system(IPSEC_EXECDIR"/klipsdebug --none"); | |
123 | } | |
124 | ||
125 | void | |
126 | starter_klips_cleanup(void) | |
127 | { | |
128 | starter_klips_clear(); | |
129 | if (_klips_module_loaded) | |
130 | { | |
131 | system("rmmod ipsec"); | |
132 | _klips_module_loaded = 0; | |
133 | } | |
134 | } |