#include <sys/types.h>
#include <sys/stat.h>
#include <signal.h>
+
#include "setuid.h"
+#include "netutil.h"
/*
This module is responsible for start stop of the vpn system.
fprintf (stderr, "\t\tI : Print Statusinfo\n");
}
+static void ipsec_reload() {
+ /* Re-read all configuration files and secrets and
+ * reload the daemon (#10339).
+ */
+ safe_system("/usr/sbin/ipsec rereadall >/dev/null 2>&1");
+ safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
+}
+
/*
ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface
*/
void open_physical (char *interface, int nat_traversal_port) {
char str[STRING_SIZE];
- // GRE ???
-// sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface);
-// safe_system(str);
- // ESP
-// sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface);
-// safe_system(str);
- // AH
-// sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface);
-// safe_system(str);
// IKE
-
- sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
+ sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
safe_system(str);
- sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface);
+ sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface);
safe_system(str);
if (! nat_traversal_port)
return;
- sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
+ sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
safe_system(str);
- sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
+ sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
safe_system(str);
}
void ipsec_norules() {
/* clear input rules */
- safe_system("/sbin/iptables -F IPSECINPUT");
- safe_system("/sbin/iptables -F IPSECFORWARD");
- safe_system("/sbin/iptables -F IPSECOUTPUT");
+ safe_system("/sbin/iptables --wait -F IPSECINPUT");
+ safe_system("/sbin/iptables --wait -F IPSECFORWARD");
+ safe_system("/sbin/iptables --wait -F IPSECOUTPUT");
}
/*
"/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
- // Reload the configuration into the daemon.
- safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
+ // Reload the IPsec block chain
+ safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+
+ // Reload the configuration into the daemon (#10339).
+ ipsec_reload();
// Bring the connection up again.
snprintf(command, STRING_SIZE - 1,
safe_system(command);
// Reload, so the connection is dropped.
- safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
+ ipsec_reload();
+
+ // Reload the IPsec block chain
+ safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
}
int main(int argc, char *argv[]) {
}
if (strcmp(argv[1], "R") == 0) {
- safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
+ ipsec_reload();
exit(0);
}
findkey(kv, "GREEN_DEV", if_green);
if (VALID_DEVICE(if_green))
enable_green++;
- else
- fprintf(stderr, "IPSec enabled on green but green interface is invalid or not found\n");
// Check if ORANGE is enabled.
findkey(kv, "ORANGE_DEV", if_orange);
if (VALID_DEVICE(if_orange))
enable_orange++;
- else
- fprintf(stderr, "IPSec enabled on orange but orange interface is invalid or not found\n");
// Check if BLUE is enabled.
findkey(kv, "BLUE_DEV", if_blue);
if (VALID_DEVICE(if_blue))
enable_blue++;
- else
- fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n");
freekeyvalues(kv);
// start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
+ safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
safe_system("/usr/sbin/ipsec restart >/dev/null");
exit(0);
}