#!/bin/bash ############################################################################### # # # IPFire.org - A linux based firewall # # Copyright (C) 2012-2013 IPFire Network Development Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation, either version 3 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program. If not, see . # # # ############################################################################### IP_TUNNEL_MODES="gre sit vti" ip_tunnel_add() { local device=${1} shift local mode local ttl local remote_address local local_address local ikey local okey while [ $# -gt 0 ]; do case "${1}" in --mode=*) mode="$(cli_get_val ${1})" ;; --ttl=*) ttl="$(cli_get_val ${1})" ;; --remote-address=*) remote_address="$(cli_get_val ${1})" ;; --local-address=*) local_address="$(cli_get_val ${1})" ;; # Keys for VTI --ikey=*) ikey="$(cli_get_val ${1})" ;; --okey=*) okey="$(cli_get_val ${1})" ;; esac shift done if ! isset mode; then error "--mode= is not set. Must be one of ${IP_TUNNEL_MODES}" return ${EXIT_ERROR} fi if ! isoneof mode ${IP_TUNNEL_MODES}; then error "Invalid mode: ${mode}" return ${EXIT_ERROR} fi # ikey and okey must be set for VTI devices if [ "${mode}" = "vti" ] && (! isset ikey || ! isset okey); then error "--ikey= and --okey= must be set for VTI device" return ${EXIT_ERROR} fi # If TTL is set, make sure it is an integer. if isset ttl && ! isinteger ttl; then error "TTL must be an integer: ${ttl}" return ${EXIT_ERROR} fi local cmd_args # Apply TTL if a value has been set. if isset ttl; then cmd_args="${cmd_args} ttl ${ttl}" fi # Apply local address if a value has been set. if isset local_address; then cmd_args="${cmd_args} local ${local_address}" fi # Apply remote address if a value has been set. if isset remote_address; then cmd_args="${cmd_args} remote ${remote_address}" fi # Add ikey and okey for VTI devices if [ "${mode}" = "vti" ]; then cmd_args="${cmd_args} ikey ${ikey} okey ${okey}" fi log DEBUG "Creating tunnel device '${device}' (mode=${mode})..." # Create the device. if ! cmd ip link add name ${device} type ${mode} ${cmd_args}; then error "Could not create tunnel device ${device}" return ${EXIT_ERROR} fi # Disable policy lookups for VTI devices if [ "${mode}" = "vti" ]; then sysctl_set "net.ipv4.conf.${device}.disable_policy" "1" fi return ${EXIT_OK} } ip_tunnel_del() { local device=${1} assert device_exists ${device} # Make sure the device has been shut down. device_set_down ${device} log DEBUG "Removing tunnel device '${device}'..." ip link del ${device} assert [ $? -eq 0 ] } ip_tunnel_change_keys() { local device="${1}" shift if ! isset device; then error "No device given" return ${EXIT_ERROR} fi local ikey local okey while [ $# -gt 0 ]; do case "${1}" in --ikey=*) ikey="$(cli_get_val ${1})" ;; --okey=*) okey="$(cli_get_val ${1})" ;; *) error "Invalid argument: ${1}" return ${EXIT_ERROR} ;; esac shift done if ! isset ikey || ! isset okey; then error "You need to set --ikey= and --okey=" return ${EXIT_ERROR} fi if ! device_exists "${device}"; then error "No such device: ${device}" return ${EXIT_ERROR} fi if ! cmd ip link change dev "${device}" \ type vti ikey "${ikey}" okey "${okey}"; then log ERROR "Could not change keys of device ${device}" return ${EXIT_ERROR} fi return ${EXIT_OK} }