X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=src%2Fmisc-progs%2Fipsecctrl.c;h=9afc409ca96c2792a10f6750143f6b58038dd1f7;hb=c1a34012352f9eee339f78c00130807e275b05c2;hp=633004e2331d4d7044c77f4cf9d5f1dc82938a30;hpb=2efd0cd68aa23e977a57b9cdb4177c3dc2d30edf;p=ipfire-2.x.git

diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
index 633004e233..9afc409ca9 100644
--- a/src/misc-progs/ipsecctrl.c
+++ b/src/misc-progs/ipsecctrl.c
@@ -13,7 +13,9 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <signal.h>
+
 #include "setuid.h"
+#include "netutil.h"
 
 /*
     This module is responsible for start stop of the vpn system.
@@ -42,42 +44,48 @@ void usage() {
         fprintf (stderr, "\t\tI : Print Statusinfo\n");
 }
 
+static void ipsec_reload() {
+	/* Re-read all configuration files and secrets and
+	 * reload the daemon (#10339).
+	 */
+	safe_system("/usr/sbin/ipsec rereadall >/dev/null 2>&1");
+	safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
+}
+
 /*
         ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface
 */
 void open_physical (char *interface, int nat_traversal_port) {
         char str[STRING_SIZE];
 
-        // GRE ???
-//        sprintf(str, "/sbin/iptables -A " phystable " -p 47  -i %s -j ACCEPT", interface);
-//        safe_system(str);
-        // ESP
-//        sprintf(str, "/sbin/iptables -A " phystable " -p 50  -i %s -j ACCEPT", interface);
-//        safe_system(str);
-        // AH
-//        sprintf(str, "/sbin/iptables -A " phystable " -p 51  -i %s -j ACCEPT", interface);
-//        safe_system(str);
         // IKE
-
-        sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
+        sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
+        safe_system(str);
+        sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface);
         safe_system(str);
-        sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface);
+        sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
+        safe_system(str);
+        sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT", interface);
         safe_system(str);
 
         if (! nat_traversal_port) 
             return;
 
-        sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
+        sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
+        safe_system(str);
+        sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
+        safe_system(str);
+        sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
         safe_system(str);
-        sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
+        sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT", interface, nat_traversal_port);
         safe_system(str);
 }
 
 void ipsec_norules() {
         /* clear input rules */
-        safe_system("/sbin/iptables -F IPSECINPUT");
-        safe_system("/sbin/iptables -F IPSECFORWARD");
-        safe_system("/sbin/iptables -F IPSECOUTPUT");
+        safe_system("/sbin/iptables --wait -F IPSECINPUT");
+        safe_system("/sbin/iptables --wait -F IPSECFORWARD");
+        safe_system("/sbin/iptables --wait -F IPSECOUTPUT");
 }
 
 /*
@@ -144,8 +152,11 @@ void turn_connection_on(char *name, char *type) {
                 "/usr/sbin/ipsec down %s >/dev/null", name);
         safe_system(command);
 
-	// Reload the configuration into the daemon.
-	safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
+	// Reload the IPsec block chain
+	safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+
+	// Reload the configuration into the daemon (#10339).
+	ipsec_reload();
 
 	// Bring the connection up again.
 	snprintf(command, STRING_SIZE - 1,
@@ -169,7 +180,10 @@ void turn_connection_off (char *name) {
         safe_system(command);
 
 	// Reload, so the connection is dropped.
-        safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
+	ipsec_reload();
+
+	// Reload the IPsec block chain
+	safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
 }
 
 int main(int argc, char *argv[]) {
@@ -193,7 +207,7 @@ int main(int argc, char *argv[]) {
         }
 
         if (strcmp(argv[1], "R") == 0) {
-                safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
+		ipsec_reload();
                 exit(0);
         }
 
@@ -302,6 +316,7 @@ int main(int argc, char *argv[]) {
 
         // start the system
         if ((argc == 2) && strcmp(argv[1], "S") == 0) {
+		safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
 		safe_system("/usr/sbin/ipsec restart >/dev/null");
                 exit(0);
         }