]>
git.ipfire.org Git - ipfire-2.x.git/blob - src/misc-progs/ipsecctrl.c
74136127926617067f3a42c24070b495a80877b1
3 * File originally from the Smoothwall project
4 * (c) 2001 Smoothwall Team
6 * $Id: ipsecctrl.c,v 1.5.2.14 2005/05/15 12:58:28 rkerr Exp $
10 #include "libsmooth.h"
15 #include <sys/types.h>
21 fprintf (stderr
, "Usage:\n");
22 fprintf (stderr
, "\tipsecctrl S [connectionkey]\n");
23 fprintf (stderr
, "\tipsecctrl D [connectionkey]\n");
24 fprintf (stderr
, "\tipsecctrl R\n");
25 fprintf (stderr
, "\t\tS : Start/Restart Connection\n");
26 fprintf (stderr
, "\t\tD : Stop Connection\n");
27 fprintf (stderr
, "\t\tR : Reload Certificates and Secrets\n");
30 void loadalgmodules() {
31 safe_system("/sbin/modprobe ipsec_3des");
32 safe_system("/sbin/modprobe ipsec_aes");
33 safe_system("/sbin/modprobe ipsec_blowfish");
34 safe_system("/sbin/modprobe ipsec_md5");
35 safe_system("/sbin/modprobe ipsec_serpent");
36 safe_system("/sbin/modprobe ipsec_sha1");
37 safe_system("/sbin/modprobe ipsec_sha2");
38 safe_system("/sbin/modprobe ipsec_twofish");
41 void ipsecrules(char *chain
, char *interface
)
43 char str
[STRING_SIZE
];
45 sprintf(str
, "/sbin/iptables -A %s -p 47 -i %s -j ACCEPT", chain
, interface
);
47 sprintf(str
, "/sbin/iptables -A %s -p 50 -i %s -j ACCEPT", chain
, interface
);
49 sprintf(str
, "/sbin/iptables -A %s -p 51 -i %s -j ACCEPT", chain
, interface
);
51 sprintf(str
, "/sbin/iptables -A %s -p udp -i %s --sport 500 --dport 500 -j ACCEPT", chain
, interface
);
53 sprintf(str
, "/sbin/iptables -A %s -p udp -i %s --dport 4500 -j ACCEPT", chain
, interface
);
57 void addaliasinterfaces(char *configtype
, char *redtype
, char *redif
, char *enablered
, char*enableblue
)
69 if ( strcmp(enablered
, "on") == 0 )
71 if ( strcmp(enableblue
, "on") == 0 )
74 /* Check for CONFIG_TYPE=2 or 3 i.e. RED ethernet present. If not,
75 * exit gracefully. This is not an error... */
76 if (!((strcmp(configtype
, "2")==0) || (strcmp(configtype
, "3")==0) || (strcmp(configtype
, "6")==0) || (strcmp(configtype
, "7")==0)))
79 /* Now check the RED_TYPE - aliases only work with STATIC. */
80 if (!(strcmp(redtype
, "STATIC")==0))
83 /* Now set up the new aliases from the config file */
84 if (!(file
= fopen(CONFIG_ROOT
"/ethernet/aliases", "r")))
86 fprintf(stderr
, "Unable to open aliases configuration file\n");
90 while (fgets(s
, STRING_SIZE
, file
) != NULL
&& (add
+alias
) < 16)
92 if (s
[strlen(s
) - 1] == '\n')
93 s
[strlen(s
) - 1] = '\0';
94 sptr
= strtok(s
, ",");
108 sptr
= strtok(NULL
, ",");
111 if (!(aliasip
&& enabled
))
114 if (!VALID_IP(aliasip
))
116 fprintf(stderr
, "Bad alias : %s\n", aliasip
);
120 if (strcmp(enabled
, "on") == 0)
122 memset(s
, 0, STRING_SIZE
);
123 snprintf(s
, STRING_SIZE
-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", alias
+add
, redif
, alias
);
130 int main(int argc
, char *argv
[]) {
133 char configtype
[STRING_SIZE
];
134 char redtype
[STRING_SIZE
] = "";
135 char command
[STRING_SIZE
];
143 struct keyvalue
*kv
= NULL
;
144 char enablered
[STRING_SIZE
] = "off";
145 char enableblue
[STRING_SIZE
] = "off";
146 char redif
[STRING_SIZE
] = "";;
147 char blueif
[STRING_SIZE
] = "";
148 FILE *ifacefile
= NULL
;
158 /* FIXME: workaround for pclose() issue - still no real idea why
159 * this is happening */
160 signal(SIGCHLD
, SIG_DFL
);
162 /* Init the keyvalue structure */
165 /* Read in the current values */
166 if (!readkeyvalues(kv
, CONFIG_ROOT
"/vpn/settings"))
168 fprintf(stderr
, "Cannot read vpn settings\n");
172 findkey(kv
, "ENABLED", enablered
);
173 findkey(kv
, "ENABLED_BLUE", enableblue
);
178 if (!readkeyvalues(kv
, CONFIG_ROOT
"/ethernet/settings"))
180 fprintf(stderr
, "Cannot read ethernet settings\n");
184 if (!findkey(kv
, "CONFIG_TYPE", configtype
))
186 fprintf(stderr
, "Cannot read CONFIG_TYPE\n");
190 findkey(kv
, "RED_TYPE", redtype
);
191 findkey(kv
, "BLUE_DEV", blueif
);
193 memset(redif
, 0, STRING_SIZE
);
195 if ((ifacefile
= fopen(CONFIG_ROOT
"/red/iface", "r")))
197 if (fgets(redif
, STRING_SIZE
, ifacefile
))
199 if (redif
[strlen(redif
) - 1] == '\n')
200 redif
[strlen(redif
) - 1] = '\0';
205 if (!VALID_DEVICE(redif
))
207 memset(redif
, 0, STRING_SIZE
);
211 safe_system("/sbin/iptables -F IPSECRED");
212 if (!strcmp(enablered
, "on") && strlen(redif
)) {
213 ipsecrules("IPSECRED", redif
);
216 safe_system("/sbin/iptables -F IPSECBLUE");
217 if (!strcmp(enableblue
, "on")) {
218 if (VALID_DEVICE(blueif
))
219 ipsecrules("IPSECBLUE", blueif
);
222 fprintf(stderr
, "IPSec enabled on blue but blue interface is invalid or not found\n");
227 /* Only shutdown pluto if it really is running */
229 if (strcmp(argv
[1], "D") == 0) {
232 if ((fd
= open("/var/run/pluto.pid", O_RDONLY
)) != -1) {
233 safe_system("/etc/rc.d/ipsec stop 2> /dev/null >/dev/null");
239 if ((strcmp(enablered
, "on") || !strlen(redif
)) && strcmp(enableblue
, "on"))
243 if (strcmp(argv
[1], "S") == 0) {
245 safe_system("/usr/sbin/ipsec tncfg --clear >/dev/null");
246 safe_system("/etc/rc.d/ipsec restart >/dev/null");
247 addaliasinterfaces(configtype
, redtype
, redif
, enablered
, enableblue
);
248 } else if (strcmp(argv
[1], "R") == 0) {
249 safe_system("/usr/sbin/ipsec auto --rereadall");
251 fprintf(stderr
, "Bad arg\n");
255 } else if (strspn(argv
[2], NUMBERS
) == strlen(argv
[2])) {
256 if (!(file
= fopen(CONFIG_ROOT
"/vpn/config", "r"))) {
257 fprintf(stderr
, "Couldn't open vpn settings file");
260 while (fgets(s
, STRING_SIZE
, file
) != NULL
) {
261 if (s
[strlen(s
) - 1] == '\n')
262 s
[strlen(s
) - 1] = '\0';
263 running
= strdup (s
);
264 result
= strsep(&running
, ",");
280 result
= strsep(&running
, ",");
282 if (strcmp(key
, argv
[2]) != 0)
285 if (!(name
&& enabled
))
288 if (strspn(name
, LETTERS_NUMBERS
) != strlen(name
)) {
289 fprintf(stderr
, "Bad connection name: %s\n", name
);
293 if (! (strcmp(type
, "host") == 0 || strcmp(type
, "net") == 0)) {
294 fprintf(stderr
, "Bad connection type: %s\n", type
);
298 if (strcmp(argv
[1], "S") == 0 && strcmp(enabled
, "on") == 0) {
299 safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");
300 memset(command
, 0, STRING_SIZE
);
301 snprintf(command
, STRING_SIZE
- 1,
302 "/usr/sbin/ipsec auto --replace %s >/dev/null", name
);
303 safe_system(command
);
304 if (strcmp(type
, "net") == 0) {
305 memset(command
, 0, STRING_SIZE
);
306 snprintf(command
, STRING_SIZE
- 1,
307 "/usr/sbin/ipsec auto --asynchronous --up %s >/dev/null", name
);
308 safe_system(command
);
310 } else if (strcmp(argv
[1], "D") == 0) {
311 safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");
312 memset(command
, 0, STRING_SIZE
);
313 snprintf(command
, STRING_SIZE
- 1,
314 "/usr/sbin/ipsec auto --down %s >/dev/null", name
);
315 safe_system(command
);
316 memset(command
, 0, STRING_SIZE
);
317 snprintf(command
, STRING_SIZE
- 1,
318 "/usr/sbin/ipsec auto --delete %s >/dev/null", name
);
319 safe_system(command
);
323 fprintf(stderr
, "Bad arg\n");