[network.git] / src / functions / functions.ip-tunnel

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012-2013  IPFire Network Development Team                    #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

IP_TUNNEL_MODES="gre gretap sit vti"

ip_tunnel_protocol_to_name() {
	local protocol="${1}"

	case "${protocol}" in
		gre)
			print "Generic Routing Encapsulation"
			;;
		sit)
			print "Simple Internet Transition"
			;;
		vti)
			print "Virtual Tunnel Interface"
			;;
		*)
			print "${protocol}"
			;;
	esac
}

# This function converts our modes into the type
# the iproute2 tool uses
ip_tunnel_convert_mode_to_iproute2_mode() {
	local mode=${1}
	local protocol=${2}

	if ! isset mode || ! isset protocol; then
		log ERROR "Did not get mode and/or protocol"
		return ${EXIT_ERROR}
	fi

	if [[ "${protocol}" = "ipv4" ]]; then
		# When we use IPv4 we can use our modes
		echo "${mode}"
	fi

	if [[ "${protocol}" = "ipv6" ]]; then
		# When we use IPv6 we have to convert
		case "${mode}" in
			"vti")
				echo "vti6"
				;;
			"gre")
				echo "ip6gre"
				;;
			"gretap")
				echo "ip6gretap"
				;;
		esac
	fi
}

ip_tunnel_add() {
	local device="${1}"
	shift

	local mode
	local ttl=255

	local address
	local remote_address
	local local_address

	local ikey
	local okey

	while [ $# -gt 0 ]; do
		case "${1}" in
			--address=*)
				address="$(cli_get_val "${1}")"

				# Validate input
				if ! isset address || ! mac_is_valid "${address}"; then
					error "Invalid MAC address: ${address}"
					return ${EXIT_ERROR}
				fi
				;;
			--mode=*)
				mode="$(cli_get_val "${1}")"
				;;
			--ttl=*)
				ttl="$(cli_get_val "${1}")"
				;;
			--remote-address=*)
				remote_address="$(cli_get_val "${1}")"
				;;
			--local-address=*)
				local_address="$(cli_get_val "${1}")"
				;;

			# Keys for VTI
			--ikey=*)
				ikey="$(cli_get_val "${1}")"
				;;
			--okey=*)
				okey="$(cli_get_val "${1}")"
				;;
		esac
		shift
	done

	if ! isset mode; then
		error "--mode= is not set. Must be one of ${IP_TUNNEL_MODES}"
		return ${EXIT_ERROR}
	fi

	if ! isoneof mode ${IP_TUNNEL_MODES}; then
		error "Invalid mode: ${mode}"
		return ${EXIT_ERROR}
	fi

	# We cannot mix IPv6 and IPv4
	if isset local_address && ! ip_protocol_match "${remote_address}" "${local_address}"; then
		log ERROR "Local and remote address are not of the same IP protocol"
		return ${EXIT_ERROR}
	fi

	# ikey and okey must be set for VTI devices
	if [ "${mode}" = "vti" ] && (! isset ikey || ! isset okey); then
		error "--ikey= and --okey= must be set for VTI device"
		return ${EXIT_ERROR}
	fi

	# Custom checks for certain modes
	case "${mode}" in
		gretap)
			# Generate a random MAC address if none was passed
			if ! isset address; then
				address="$(mac_generate)"
			fi
			;;
	esac

	# If TTL is set, make sure it is an integer.
	if isset ttl && ! isinteger ttl; then
		error "TTL must be an integer: ${ttl}"
		return ${EXIT_ERROR}
	fi

	# Determine the mode based on the IP protocol
	local remote_address_protocol="$(ip_detect_protocol "${remote_address}")"
	mode=$(ip_tunnel_convert_mode_to_iproute2_mode "${mode}" "${remote_address_protocol}")

	local cmd_args=( name "${device}" )

	if isset address; then
		cmd_args=( "${cmd_args[@]}" "address" "${address}" )
	fi

	# Mode
	cmd_args=( "${cmd_args[@]}" "type" "${mode}" )

	# Apply TTL if a value has been set.
	if isset ttl; then
		cmd_args=( "${cmd_args[@]}" "ttl" "${ttl}" )
	fi

	# Apply local address if a value has been set.
	if isset local_address; then
		cmd_args=( "${cmd_args[@]}" "local" "${local_address}" )
	fi

	# Apply remote address if a value has been set.
	if isset remote_address; then
		cmd_args=( "${cmd_args[@]}" "remote" "${remote_address}" )
	fi

	# Add ikey and okey for VTI devices
	if [ "${mode}" = "vti" ]; then
		cmd_args=( "${cmd_args[@]}" "ikey" "${ikey}" "okey" "${okey}" )
	fi

	log DEBUG "Creating tunnel device '${device}' (mode=${mode})..."

	# Create the device.
	if ! cmd ip link add "${cmd_args[@]}"; then
		error "Could not create tunnel device ${device}"
		return ${EXIT_ERROR}
	fi

	# Disable policy lookups for VTI devices
	if [ "${mode}" = "vti" ]; then
		sysctl_set "net.ipv4.conf.${device}.disable_policy" "1"
	fi

	return ${EXIT_OK}
}

ip_tunnel_del() {
	device_delete "$@"
}

ip_tunnel_change() {
	local device="${1}"
	shift

	if ! device_exists "${device}"; then
		log ERROR "No such device: ${device}"
		return ${EXIT_ERROR}
	fi

	# Determine the device type
	local type="$(device_tunnel_get_type ${device})"

	local local
	local remote

	while [ $# -gt 0 ]; do
		case "${1}" in
			--local=*)
				local="$(cli_get_val "${1}")"

				if ! ip_is_valid "${local}"; then
					error "Invalid IP address for --local: ${local}"
					return ${EXIT_ERROR}
				fi

				if ! isoneof "type" gre gre6 vti vti6; then
					log ERROR "Cannot change --local for devices of type ${type}"
					return ${EXIT_ERROR}
				fi
				;;
			--remote=*)
				remote="$(cli_get_val "${1}")"

				if ! ip_is_valid "${remote}"; then
					error "Invalid IP address for --remote: ${remote}"
					return ${EXIT_ERROR}
				fi

				if ! isoneof "type" gre gre6 vti vti6; then
					log ERROR "Cannot change --remote for devices of type ${type}"
					return ${EXIT_ERROR}
				fi
				;;
		esac
		shift
	done

	# XXX If a device is of an IP protocol and the protocol of remote and local
	# have changed, we will need to destroy the interface and recreate it with
	# the correct type

	local cmd_args

	if isset local; then
		cmd_args="${cmd_args} local ${local}"
	fi

	if isset remote; then
		cmd_args="${cmd_args} remote ${remote}"
	fi

	# Exit if there is nothing to do
	if ! isset cmd_args; then
		return ${EXIT_OK}
	fi

	# Run ip command
	cmd ip link change dev "${device}" type "${type}" ${cmd_args}
}
Commit	Line	Data
	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2012-2013 IPFire Network Development Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	IP_TUNNEL_MODES="gre gretap sit vti"
	23
	24	ip_tunnel_protocol_to_name() {
	25	local protocol="${1}"
	26
	27	case "${protocol}" in
	28	gre)
	29	print "Generic Routing Encapsulation"
	30	;;
	31	sit)
	32	print "Simple Internet Transition"
	33	;;
	34	vti)
	35	print "Virtual Tunnel Interface"
	36	;;
	37	*)
	38	print "${protocol}"
	39	;;
	40	esac
	41	}
	42
	43	# This function converts our modes into the type
	44	# the iproute2 tool uses
	45	ip_tunnel_convert_mode_to_iproute2_mode() {
	46	local mode=${1}
	47	local protocol=${2}
	48
	49	if ! isset mode \|\| ! isset protocol; then
	50	log ERROR "Did not get mode and/or protocol"
	51	return ${EXIT_ERROR}
	52	fi
	53
	54	if [[ "${protocol}" = "ipv4" ]]; then
	55	# When we use IPv4 we can use our modes
	56	echo "${mode}"
	57	fi
	58
	59	if [[ "${protocol}" = "ipv6" ]]; then
	60	# When we use IPv6 we have to convert
	61	case "${mode}" in
	62	"vti")
	63	echo "vti6"
	64	;;
	65	"gre")
	66	echo "ip6gre"
	67	;;
	68	"gretap")
	69	echo "ip6gretap"
	70	;;
	71	esac
	72	fi
	73	}
	74
	75	ip_tunnel_add() {
	76	local device="${1}"
	77	shift
	78
	79	local mode
	80	local ttl=255
	81
	82	local address
	83	local remote_address
	84	local local_address
	85
	86	local ikey
	87	local okey
	88
	89	while [ $# -gt 0 ]; do
	90	case "${1}" in
	91	--address=*)
	92	address="$(cli_get_val "${1}")"
	93
	94	# Validate input
	95	if ! isset address \|\| ! mac_is_valid "${address}"; then
	96	error "Invalid MAC address: ${address}"
	97	return ${EXIT_ERROR}
	98	fi
	99	;;
	100	--mode=*)
	101	mode="$(cli_get_val "${1}")"
	102	;;
	103	--ttl=*)
	104	ttl="$(cli_get_val "${1}")"
	105	;;
	106	--remote-address=*)
	107	remote_address="$(cli_get_val "${1}")"
	108	;;
	109	--local-address=*)
	110	local_address="$(cli_get_val "${1}")"
	111	;;
	112
	113	# Keys for VTI
	114	--ikey=*)
	115	ikey="$(cli_get_val "${1}")"
	116	;;
	117	--okey=*)
	118	okey="$(cli_get_val "${1}")"
	119	;;
	120	esac
	121	shift
	122	done
	123
	124	if ! isset mode; then
	125	error "--mode= is not set. Must be one of ${IP_TUNNEL_MODES}"
	126	return ${EXIT_ERROR}
	127	fi
	128
	129	if ! isoneof mode ${IP_TUNNEL_MODES}; then
	130	error "Invalid mode: ${mode}"
	131	return ${EXIT_ERROR}
	132	fi
	133
	134	# We cannot mix IPv6 and IPv4
	135	if isset local_address && ! ip_protocol_match "${remote_address}" "${local_address}"; then
	136	log ERROR "Local and remote address are not of the same IP protocol"
	137	return ${EXIT_ERROR}
	138	fi
	139
	140	# ikey and okey must be set for VTI devices
	141	if [ "${mode}" = "vti" ] && (! isset ikey \|\| ! isset okey); then
	142	error "--ikey= and --okey= must be set for VTI device"
	143	return ${EXIT_ERROR}
	144	fi
	145
	146	# Custom checks for certain modes
	147	case "${mode}" in
	148	gretap)
	149	# Generate a random MAC address if none was passed
	150	if ! isset address; then
	151	address="$(mac_generate)"
	152	fi
	153	;;
	154	esac
	155
	156	# If TTL is set, make sure it is an integer.
	157	if isset ttl && ! isinteger ttl; then
	158	error "TTL must be an integer: ${ttl}"
	159	return ${EXIT_ERROR}
	160	fi
	161
	162	# Determine the mode based on the IP protocol
	163	local remote_address_protocol="$(ip_detect_protocol "${remote_address}")"
	164	mode=$(ip_tunnel_convert_mode_to_iproute2_mode "${mode}" "${remote_address_protocol}")
	165
	166	local cmd_args=( name "${device}" )
	167
	168	if isset address; then
	169	cmd_args=( "${cmd_args[@]}" "address" "${address}" )
	170	fi
	171
	172	# Mode
	173	cmd_args=( "${cmd_args[@]}" "type" "${mode}" )
	174
	175	# Apply TTL if a value has been set.
	176	if isset ttl; then
	177	cmd_args=( "${cmd_args[@]}" "ttl" "${ttl}" )
	178	fi
	179
	180	# Apply local address if a value has been set.
	181	if isset local_address; then
	182	cmd_args=( "${cmd_args[@]}" "local" "${local_address}" )
	183	fi
	184
	185	# Apply remote address if a value has been set.
	186	if isset remote_address; then
	187	cmd_args=( "${cmd_args[@]}" "remote" "${remote_address}" )
	188	fi
	189
	190	# Add ikey and okey for VTI devices
	191	if [ "${mode}" = "vti" ]; then
	192	cmd_args=( "${cmd_args[@]}" "ikey" "${ikey}" "okey" "${okey}" )
	193	fi
	194
	195	log DEBUG "Creating tunnel device '${device}' (mode=${mode})..."
	196
	197	# Create the device.
	198	if ! cmd ip link add "${cmd_args[@]}"; then
	199	error "Could not create tunnel device ${device}"
	200	return ${EXIT_ERROR}
	201	fi
	202
	203	# Disable policy lookups for VTI devices
	204	if [ "${mode}" = "vti" ]; then
	205	sysctl_set "net.ipv4.conf.${device}.disable_policy" "1"
	206	fi
	207
	208	return ${EXIT_OK}
	209	}
	210
	211	ip_tunnel_del() {
	212	device_delete "$@"
	213	}
	214
	215	ip_tunnel_change() {
	216	local device="${1}"
	217	shift
	218
	219	if ! device_exists "${device}"; then
	220	log ERROR "No such device: ${device}"
	221	return ${EXIT_ERROR}
	222	fi
	223
	224	# Determine the device type
	225	local type="$(device_tunnel_get_type ${device})"
	226
	227	local local
	228	local remote
	229
	230	while [ $# -gt 0 ]; do
	231	case "${1}" in
	232	--local=*)
	233	local="$(cli_get_val "${1}")"
	234
	235	if ! ip_is_valid "${local}"; then
	236	error "Invalid IP address for --local: ${local}"
	237	return ${EXIT_ERROR}
	238	fi
	239
	240	if ! isoneof "type" gre gre6 vti vti6; then
	241	log ERROR "Cannot change --local for devices of type ${type}"
	242	return ${EXIT_ERROR}
	243	fi
	244	;;
	245	--remote=*)
	246	remote="$(cli_get_val "${1}")"
	247
	248	if ! ip_is_valid "${remote}"; then
	249	error "Invalid IP address for --remote: ${remote}"
	250	return ${EXIT_ERROR}
	251	fi
	252
	253	if ! isoneof "type" gre gre6 vti vti6; then
	254	log ERROR "Cannot change --remote for devices of type ${type}"
	255	return ${EXIT_ERROR}
	256	fi
	257	;;
	258	esac
	259	shift
	260	done
	261
	262	# XXX If a device is of an IP protocol and the protocol of remote and local
	263	# have changed, we will need to destroy the interface and recreate it with
	264	# the correct type
	265
	266	local cmd_args
	267
	268	if isset local; then
	269	cmd_args="${cmd_args} local ${local}"
	270	fi
	271
	272	if isset remote; then
	273	cmd_args="${cmd_args} remote ${remote}"
	274	fi
	275
	276	# Exit if there is nothing to do
	277	if ! isset cmd_args; then
	278	return ${EXIT_OK}
	279	fi
	280
	281	# Run ip command
	282	cmd ip link change dev "${device}" type "${type}" ${cmd_args}
	283	}