]>
Commit | Line | Data |
---|---|---|
cd1a2927 MT |
1 | /*\r |
2 | *\r | |
3 | * File originally from the Smoothwall project\r | |
4 | * (c) 2001 Smoothwall Team\r | |
5 | *\r | |
6 | * $Id: ipsecctrl.c,v 1.5.2.14 2005/05/15 12:58:28 rkerr Exp $\r | |
7 | *\r | |
8 | */\r | |
9 | \r | |
10 | #include "libsmooth.h"\r | |
11 | #include <stdio.h>\r | |
12 | #include <stdlib.h>\r | |
13 | #include <string.h>\r | |
14 | #include <unistd.h>\r | |
15 | #include <sys/types.h>\r | |
16 | #include <sys/stat.h>\r | |
17 | #include <signal.h>\r | |
18 | #include "setuid.h"\r | |
19 | \r | |
20 | void usage() {\r | |
21 | fprintf (stderr, "Usage:\n");\r | |
22 | fprintf (stderr, "\tipsecctrl S [connectionkey]\n");\r | |
23 | fprintf (stderr, "\tipsecctrl D [connectionkey]\n");\r | |
24 | fprintf (stderr, "\tipsecctrl R\n");\r | |
25 | fprintf (stderr, "\t\tS : Start/Restart Connection\n");\r | |
26 | fprintf (stderr, "\t\tD : Stop Connection\n");\r | |
27 | fprintf (stderr, "\t\tR : Reload Certificates and Secrets\n");\r | |
28 | }\r | |
29 | \r | |
30 | void loadalgmodules() {\r | |
31 | safe_system("/sbin/modprobe ipsec_3des");\r | |
32 | safe_system("/sbin/modprobe ipsec_aes");\r | |
33 | safe_system("/sbin/modprobe ipsec_blowfish");\r | |
34 | safe_system("/sbin/modprobe ipsec_md5");\r | |
35 | safe_system("/sbin/modprobe ipsec_serpent");\r | |
36 | safe_system("/sbin/modprobe ipsec_sha1");\r | |
37 | safe_system("/sbin/modprobe ipsec_sha2");\r | |
38 | safe_system("/sbin/modprobe ipsec_twofish");\r | |
39 | }\r | |
40 | \r | |
41 | void ipsecrules(char *chain, char *interface)\r | |
42 | {\r | |
43 | char str[STRING_SIZE];\r | |
44 | \r | |
45 | sprintf(str, "/sbin/iptables -A %s -p 47 -i %s -j ACCEPT", chain, interface);\r | |
46 | safe_system(str);\r | |
47 | sprintf(str, "/sbin/iptables -A %s -p 50 -i %s -j ACCEPT", chain, interface);\r | |
48 | safe_system(str);\r | |
49 | sprintf(str, "/sbin/iptables -A %s -p 51 -i %s -j ACCEPT", chain, interface);\r | |
50 | safe_system(str);\r | |
51 | sprintf(str, "/sbin/iptables -A %s -p udp -i %s --sport 500 --dport 500 -j ACCEPT", chain, interface);\r | |
52 | safe_system(str);\r | |
53 | sprintf(str, "/sbin/iptables -A %s -p udp -i %s --dport 4500 -j ACCEPT", chain, interface);\r | |
54 | safe_system(str);\r | |
55 | }\r | |
56 | \r | |
57 | void addaliasinterfaces(char *configtype, char *redtype, char *redif, char *enablered, char*enableblue)\r | |
58 | {\r | |
59 | FILE *file = NULL;\r | |
60 | char s[STRING_SIZE];\r | |
61 | char *sptr;\r | |
62 | char *aliasip=NULL;\r | |
63 | char *enabled=NULL;\r | |
64 | char *comment=NULL;\r | |
65 | int count=0;\r | |
66 | int alias=0;\r | |
67 | int add=0;\r | |
68 | \r | |
69 | if ( strcmp(enablered, "on") == 0 ) \r | |
70 | add += 1;\r | |
71 | if ( strcmp(enableblue, "on") == 0 )\r | |
72 | add += 1;\r | |
73 | \r | |
74 | /* Check for CONFIG_TYPE=2 or 3 i.e. RED ethernet present. If not,\r | |
75 | * exit gracefully. This is not an error... */\r | |
76 | if (!((strcmp(configtype, "2")==0) || (strcmp(configtype, "3")==0) || (strcmp(configtype, "6")==0) || (strcmp(configtype, "7")==0)))\r | |
77 | return;\r | |
78 | \r | |
79 | /* Now check the RED_TYPE - aliases only work with STATIC. */\r | |
80 | if (!(strcmp(redtype, "STATIC")==0))\r | |
81 | return;\r | |
82 | \r | |
83 | /* Now set up the new aliases from the config file */\r | |
84 | if (!(file = fopen(CONFIG_ROOT "/ethernet/aliases", "r")))\r | |
85 | {\r | |
86 | fprintf(stderr, "Unable to open aliases configuration file\n");\r | |
87 | return;\r | |
88 | }\r | |
89 | \r | |
90 | while (fgets(s, STRING_SIZE, file) != NULL && (add+alias) < 16)\r | |
91 | {\r | |
92 | if (s[strlen(s) - 1] == '\n')\r | |
93 | s[strlen(s) - 1] = '\0';\r | |
94 | sptr = strtok(s, ",");\r | |
95 | count = 0;\r | |
96 | aliasip = NULL;\r | |
97 | enabled = NULL;\r | |
98 | comment = NULL;\r | |
99 | while (sptr)\r | |
100 | {\r | |
101 | if (count == 0)\r | |
102 | aliasip = sptr;\r | |
103 | if (count == 1)\r | |
104 | enabled = sptr;\r | |
105 | else\r | |
106 | comment = sptr;\r | |
107 | count++;\r | |
108 | sptr = strtok(NULL, ",");\r | |
109 | }\r | |
110 | \r | |
111 | if (!(aliasip && enabled))\r | |
112 | continue;\r | |
113 | \r | |
114 | if (!VALID_IP(aliasip))\r | |
115 | {\r | |
116 | fprintf(stderr, "Bad alias : %s\n", aliasip);\r | |
117 | return;\r | |
118 | }\r | |
119 | \r | |
120 | if (strcmp(enabled, "on") == 0)\r | |
121 | {\r | |
122 | memset(s, 0, STRING_SIZE);\r | |
123 | snprintf(s, STRING_SIZE-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", alias+add, redif, alias);\r | |
124 | safe_system(s);\r | |
125 | alias++;\r | |
126 | }\r | |
127 | }\r | |
128 | }\r | |
129 | \r | |
130 | int main(int argc, char *argv[]) {\r | |
131 | int count;\r | |
132 | char s[STRING_SIZE];\r | |
133 | char configtype[STRING_SIZE];\r | |
134 | char redtype[STRING_SIZE] = "";\r | |
135 | char command[STRING_SIZE];\r | |
136 | char *result;\r | |
137 | char *key;\r | |
138 | char *enabled;\r | |
139 | char *name;\r | |
140 | char *type;\r | |
141 | char *running;\r | |
142 | FILE *file = NULL;\r | |
143 | struct keyvalue *kv = NULL;\r | |
144 | char enablered[STRING_SIZE] = "off";\r | |
145 | char enableblue[STRING_SIZE] = "off";\r | |
146 | char redif[STRING_SIZE] = "";;\r | |
147 | char blueif[STRING_SIZE] = "";\r | |
148 | FILE *ifacefile = NULL;\r | |
149 | \r | |
150 | if (!(initsetuid()))\r | |
151 | exit(1);\r | |
152 | \r | |
153 | if (argc < 2) {\r | |
154 | usage();\r | |
155 | exit(1);\r | |
156 | }\r | |
157 | \r | |
158 | /* FIXME: workaround for pclose() issue - still no real idea why\r | |
159 | * this is happening */\r | |
160 | signal(SIGCHLD, SIG_DFL);\r | |
161 | \r | |
162 | /* Init the keyvalue structure */\r | |
163 | kv=initkeyvalues();\r | |
164 | \r | |
165 | /* Read in the current values */\r | |
166 | if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings"))\r | |
167 | {\r | |
168 | fprintf(stderr, "Cannot read vpn settings\n");\r | |
169 | exit(1);\r | |
170 | }\r | |
171 | \r | |
172 | findkey(kv, "ENABLED", enablered);\r | |
173 | findkey(kv, "ENABLED_BLUE", enableblue);\r | |
174 | \r | |
175 | freekeyvalues(kv);\r | |
176 | kv=initkeyvalues();\r | |
177 | \r | |
178 | if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))\r | |
179 | {\r | |
180 | fprintf(stderr, "Cannot read ethernet settings\n");\r | |
181 | exit(1);\r | |
182 | }\r | |
183 | \r | |
184 | if (!findkey(kv, "CONFIG_TYPE", configtype))\r | |
185 | {\r | |
186 | fprintf(stderr, "Cannot read CONFIG_TYPE\n");\r | |
187 | exit(1);\r | |
188 | }\r | |
189 | \r | |
190 | findkey(kv, "RED_TYPE", redtype);\r | |
191 | findkey(kv, "BLUE_DEV", blueif);\r | |
192 | freekeyvalues(kv);\r | |
193 | memset(redif, 0, STRING_SIZE);\r | |
194 | \r | |
195 | if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))\r | |
196 | {\r | |
197 | if (fgets(redif, STRING_SIZE, ifacefile))\r | |
198 | {\r | |
199 | if (redif[strlen(redif) - 1] == '\n')\r | |
200 | redif[strlen(redif) - 1] = '\0';\r | |
201 | }\r | |
202 | fclose (ifacefile);\r | |
203 | ifacefile = NULL;\r | |
204 | \r | |
205 | if (!VALID_DEVICE(redif))\r | |
206 | {\r | |
207 | memset(redif, 0, STRING_SIZE);\r | |
208 | }\r | |
209 | }\r | |
210 | \r | |
211 | safe_system("/sbin/iptables -F IPSECRED");\r | |
212 | if (!strcmp(enablered, "on") && strlen(redif)) {\r | |
213 | ipsecrules("IPSECRED", redif);\r | |
214 | }\r | |
215 | \r | |
216 | safe_system("/sbin/iptables -F IPSECBLUE");\r | |
217 | if (!strcmp(enableblue, "on")) {\r | |
218 | if (VALID_DEVICE(blueif))\r | |
219 | ipsecrules("IPSECBLUE", blueif);\r | |
220 | else\r | |
221 | {\r | |
222 | fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n");\r | |
223 | exit(1);\r | |
224 | }\r | |
225 | }\r | |
226 | \r | |
227 | /* Only shutdown pluto if it really is running */\r | |
228 | if (argc == 2) {\r | |
229 | if (strcmp(argv[1], "D") == 0) {\r | |
230 | int fd;\r | |
231 | /* Get pluto pid */\r | |
232 | if ((fd = open("/var/run/pluto.pid", O_RDONLY)) != -1) {\r | |
233 | safe_system("/etc/rc.d/ipsec stop 2> /dev/null >/dev/null");\r | |
234 | close(fd);\r | |
235 | }\r | |
236 | }\r | |
237 | }\r | |
238 | \r | |
239 | if ((strcmp(enablered, "on") || !strlen(redif)) && strcmp(enableblue, "on"))\r | |
240 | exit(0);\r | |
241 | \r | |
242 | if (argc == 2) {\r | |
243 | if (strcmp(argv[1], "S") == 0) {\r | |
244 | loadalgmodules();\r | |
245 | safe_system("/usr/sbin/ipsec tncfg --clear >/dev/null");\r | |
246 | safe_system("/etc/rc.d/ipsec restart >/dev/null");\r | |
247 | addaliasinterfaces(configtype, redtype, redif, enablered, enableblue);\r | |
248 | } else if (strcmp(argv[1], "R") == 0) {\r | |
249 | safe_system("/usr/sbin/ipsec auto --rereadall");\r | |
250 | } else {\r | |
251 | fprintf(stderr, "Bad arg\n");\r | |
252 | usage();\r | |
253 | exit(1);\r | |
254 | }\r | |
255 | } else if (strspn(argv[2], NUMBERS) == strlen(argv[2])) {\r | |
256 | if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {\r | |
257 | fprintf(stderr, "Couldn't open vpn settings file");\r | |
258 | exit(1);\r | |
259 | }\r | |
260 | while (fgets(s, STRING_SIZE, file) != NULL) {\r | |
261 | if (s[strlen(s) - 1] == '\n')\r | |
262 | s[strlen(s) - 1] = '\0';\r | |
263 | running = strdup (s);\r | |
264 | result = strsep(&running, ",");\r | |
265 | count = 0;\r | |
266 | key = NULL;\r | |
267 | name = NULL;\r | |
268 | enabled = NULL;\r | |
269 | type = NULL;\r | |
270 | while (result) {\r | |
271 | if (count == 0)\r | |
272 | key = result;\r | |
273 | if (count == 1)\r | |
274 | enabled = result; \r | |
275 | if (count == 2)\r | |
276 | name = result;\r | |
277 | if (count == 4)\r | |
278 | type = result;\r | |
279 | count++;\r | |
280 | result = strsep(&running, ",");\r | |
281 | }\r | |
282 | if (strcmp(key, argv[2]) != 0)\r | |
283 | continue;\r | |
284 | \r | |
285 | if (!(name && enabled))\r | |
286 | continue;\r | |
287 | \r | |
288 | if (strspn(name, LETTERS_NUMBERS) != strlen(name)) {\r | |
289 | fprintf(stderr, "Bad connection name: %s\n", name);\r | |
290 | goto EXIT;\r | |
291 | }\r | |
292 | \r | |
293 | if (! (strcmp(type, "host") == 0 || strcmp(type, "net") == 0)) {\r | |
294 | fprintf(stderr, "Bad connection type: %s\n", type);\r | |
295 | goto EXIT;\r | |
296 | }\r | |
297 | \r | |
298 | if (strcmp(argv[1], "S") == 0 && strcmp(enabled, "on") == 0) {\r | |
299 | safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");\r | |
300 | memset(command, 0, STRING_SIZE);\r | |
301 | snprintf(command, STRING_SIZE - 1, \r | |
302 | "/usr/sbin/ipsec auto --replace %s >/dev/null", name);\r | |
303 | safe_system(command);\r | |
304 | if (strcmp(type, "net") == 0) {\r | |
305 | memset(command, 0, STRING_SIZE);\r | |
306 | snprintf(command, STRING_SIZE - 1, \r | |
307 | "/usr/sbin/ipsec auto --asynchronous --up %s >/dev/null", name);\r | |
308 | safe_system(command);\r | |
309 | }\r | |
310 | } else if (strcmp(argv[1], "D") == 0) {\r | |
311 | safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");\r | |
312 | memset(command, 0, STRING_SIZE);\r | |
313 | snprintf(command, STRING_SIZE - 1, \r | |
314 | "/usr/sbin/ipsec auto --down %s >/dev/null", name);\r | |
315 | safe_system(command);\r | |
316 | memset(command, 0, STRING_SIZE);\r | |
317 | snprintf(command, STRING_SIZE - 1, \r | |
318 | "/usr/sbin/ipsec auto --delete %s >/dev/null", name);\r | |
319 | safe_system(command);\r | |
320 | }\r | |
321 | }\r | |
322 | } else {\r | |
323 | fprintf(stderr, "Bad arg\n");\r | |
324 | usage();\r | |
325 | exit(1);\r | |
326 | }\r | |
327 | \r | |
328 | EXIT:\r | |
329 | if (file)\r | |
330 | fclose(file);\r | |
331 | return 0;\r | |
332 | }\r |