]>
git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/misc-progs/ipsecctrl.c
3 * File originally from the Smoothwall project
4 * (c) 2001 Smoothwall Team
13 #include <sys/types.h>
21 This module is responsible for start stop of the vpn system.
23 1) it allows AH & ESP to get in from interface where a vpn is mounted
24 The NAT traversal is used on the udp 4500 port.
26 2) it starts the ipsec daemon
27 The RED interface is a problem because it can be up or down a startup.
28 Then, the state change and it must not affect other VPN mounted on
30 Unfortunatly, openswan 1 cannot do that correctly. It cannot use an
31 interface without restarting everything.
36 fprintf (stderr
, "Usage:\n");
37 fprintf (stderr
, "\tipsecctrl S [connectionkey]\n");
38 fprintf (stderr
, "\tipsecctrl D [connectionkey]\n");
39 fprintf (stderr
, "\tipsecctrl R\n");
40 fprintf (stderr
, "\tipsecctrl I\n");
41 fprintf (stderr
, "\t\tS : Start/Restart Connection\n");
42 fprintf (stderr
, "\t\tD : Stop Connection\n");
43 fprintf (stderr
, "\t\tR : Reload Certificates and Secrets\n");
44 fprintf (stderr
, "\t\tI : Print Statusinfo\n");
47 static void ipsec_reload() {
48 /* Re-read all configuration files and secrets and
49 * reload the daemon (#10339).
51 safe_system("/usr/sbin/ipsec rereadall >/dev/null 2>&1");
52 safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
56 ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface
58 void open_physical (char *interface
, int nat_traversal_port
) {
59 char str
[STRING_SIZE
];
62 sprintf(str
, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface
);
64 sprintf(str
, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface
);
66 sprintf(str
, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface
);
68 sprintf(str
, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT", interface
);
71 if (! nat_traversal_port
)
74 sprintf(str
, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface
, nat_traversal_port
);
76 sprintf(str
, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface
, nat_traversal_port
);
78 sprintf(str
, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT >/dev/null 2>&1", interface
, nat_traversal_port
);
80 sprintf(str
, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT", interface
, nat_traversal_port
);
84 void ipsec_norules() {
85 /* clear input rules */
86 safe_system("/sbin/iptables --wait -F IPSECINPUT");
87 safe_system("/sbin/iptables --wait -F IPSECFORWARD");
88 safe_system("/sbin/iptables --wait -F IPSECOUTPUT");
92 return values from the vpn config file or false if not 'on'
94 int decode_line (char *s
,
104 if (s
[strlen(s
) - 1] == '\n')
105 s
[strlen(s
) - 1] = '\0';
107 char *result
= strsep(&s
, ",");
111 if ((count
== 1) && strcmp(result
, "on") != 0)
112 return 0; // a disabled line
118 result
= strsep(&s
, ",");
121 // check other syntax
125 if (strspn(*name
, LETTERS_NUMBERS
) != strlen(*name
)) {
126 fprintf(stderr
, "Bad connection name: %s\n", *name
);
130 if (! (strcmp(*type
, "host") == 0 || strcmp(*type
, "net") == 0)) {
131 fprintf(stderr
, "Bad connection type: %s\n", *type
);
135 //it's a valid & active line
140 issue ipsec commmands to turn on connection 'name'
142 void turn_connection_on(char *name
, char *type
) {
144 * To bring up a connection, we need to reload the configuration
145 * and issue ipsec up afterwards. To make sure the connection
146 * is not established from the start, we bring it down in advance.
148 char command
[STRING_SIZE
];
150 // Bring down the connection (if established).
151 snprintf(command
, STRING_SIZE
- 1,
152 "/usr/sbin/ipsec down %s >/dev/null", name
);
153 safe_system(command
);
155 // Reload the IPsec block chain
156 safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
158 // Reload the configuration into the daemon (#10339).
161 // Bring the connection up again.
162 snprintf(command
, STRING_SIZE
- 1,
163 "/usr/sbin/ipsec up %s >/dev/null", name
);
164 safe_system(command
);
168 issue ipsec commmands to turn off connection 'name'
170 void turn_connection_off (char *name
) {
172 * To turn off a connection, all SAs must be turned down.
173 * After that, the configuration must be reloaded.
175 char command
[STRING_SIZE
];
177 // Bring down the connection.
178 snprintf(command
, STRING_SIZE
- 1,
179 "/usr/sbin/ipsec down %s >/dev/null", name
);
180 safe_system(command
);
182 // Reload, so the connection is dropped.
185 // Reload the IPsec block chain
186 safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
189 int main(int argc
, char *argv
[]) {
190 char configtype
[STRING_SIZE
];
191 char redtype
[STRING_SIZE
] = "";
192 struct keyvalue
*kv
= NULL
;
204 if (strcmp(argv
[1], "I") == 0) {
205 safe_system("/usr/sbin/ipsec status");
209 if (strcmp(argv
[1], "R") == 0) {
214 /* FIXME: workaround for pclose() issue - still no real idea why
215 * this is happening */
216 signal(SIGCHLD
, SIG_DFL
);
218 /* handle operations that doesn't need start the ipsec system */
220 if (strcmp(argv
[1], "D") == 0) {
221 safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1");
227 /* read vpn config */
229 if (!readkeyvalues(kv
, CONFIG_ROOT
"/vpn/settings"))
231 fprintf(stderr
, "Cannot read vpn settings\n");
235 /* check is the vpn system is enabled */
238 findkey(kv
, "ENABLED", s
);
240 if (strcmp (s
, "on") != 0)
244 /* read interface settings */
246 if (!readkeyvalues(kv
, CONFIG_ROOT
"/ethernet/settings"))
248 fprintf(stderr
, "Cannot read ethernet settings\n");
251 if (!findkey(kv
, "CONFIG_TYPE", configtype
))
253 fprintf(stderr
, "Cannot read CONFIG_TYPE\n");
256 findkey(kv
, "RED_TYPE", redtype
);
259 /* Loop through the config file to find physical interface that will accept IPSEC */
260 int enable_red
=0; // states 0: not used
261 int enable_green
=0; // 1: error condition
262 int enable_orange
=0; // 2: good
264 char if_red
[STRING_SIZE
] = "";
265 char if_green
[STRING_SIZE
] = "";
266 char if_orange
[STRING_SIZE
] = "";
267 char if_blue
[STRING_SIZE
] = "";
270 // when RED is up, find interface name in special file
271 FILE *ifacefile
= NULL
;
272 if ((ifacefile
= fopen(CONFIG_ROOT
"/red/iface", "r"))) {
273 if (fgets(if_red
, STRING_SIZE
, ifacefile
)) {
274 if (if_red
[strlen(if_red
) - 1] == '\n')
275 if_red
[strlen(if_red
) - 1] = '\0';
279 if (VALID_DEVICE(if_red
))
283 // Check if GREEN is enabled.
284 findkey(kv
, "GREEN_DEV", if_green
);
285 if (VALID_DEVICE(if_green
))
288 // Check if ORANGE is enabled.
289 findkey(kv
, "ORANGE_DEV", if_orange
);
290 if (VALID_DEVICE(if_orange
))
293 // Check if BLUE is enabled.
294 findkey(kv
, "BLUE_DEV", if_blue
);
295 if (VALID_DEVICE(if_blue
))
300 // exit if nothing to do
301 if ((enable_red
+enable_green
+enable_orange
+enable_blue
) == 0)
306 open_physical(if_red
, 4500);
308 if (enable_green
> 0)
309 open_physical(if_green
, 4500);
311 if (enable_orange
> 0)
312 open_physical(if_orange
, 4500);
315 open_physical(if_blue
, 4500);
318 if ((argc
== 2) && strcmp(argv
[1], "S") == 0) {
319 safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
320 safe_system("/usr/sbin/ipsec restart >/dev/null");
324 // it is a selective start or stop
325 // second param is only a number 'key'
326 if ((argc
== 2) || strspn(argv
[2], NUMBERS
) != strlen(argv
[2])) {
327 fprintf(stderr
, "Bad arg: %s\n", argv
[2]);
332 // search the vpn pointed by 'key'
333 if (!(file
= fopen(CONFIG_ROOT
"/vpn/config", "r"))) {
334 fprintf(stderr
, "Couldn't open vpn settings file");
337 while (fgets(s
, STRING_SIZE
, file
) != NULL
) {
341 if (!decode_line(s
,&key
,&name
,&type
))
344 // is it the 'key' requested ?
345 if (strcmp(argv
[2], key
) != 0)
348 // Start or Delete this Connection
349 if (strcmp(argv
[1], "S") == 0)
350 turn_connection_on (name
, type
);
351 else if (strcmp(argv
[1], "D") == 0)
352 turn_connection_off (name
);
354 fprintf(stderr
, "Bad command\n");