[ipfire-2.x.git] / src / scripts / ipsec-interfaces

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2015 IPFire Team                                              #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

shopt -s nullglob

VPN_CONFIG="/var/ipfire/vpn/config"

eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)

VARS=(
	id status name lefthost type ctype x1 x2 x3 leftsubnets
	remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
	x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
	route x26 mode interface_mode interface_address interface_mtu rest
)

log() {
	logger -t ipsec "$@"
}

main() {
	# Register local variables
	local "${VARS[@]}"
	local action

	local interfaces=()

	while IFS="," read -r "${VARS[@]}"; do
		# Check if the connection is enabled
		[ "${status}" = "on" ] || continue

		# Check if this a net-to-net connection
		[ "${type}" = "net" ] || continue

		# Determine the interface name
		case "${interface_mode}" in
			gre|vti)
				local intf="${interface_mode}${id}"
				;;
			*)
				continue
				;;
		esac

		# Add the interface to the list of all interfaces
		interfaces+=( "${intf}" )

		local args=(
			"local" "${VPN_IP}"
			"remote" "${righthost}"
			"ttl" "255"
		)

		# Add key for VTI
		if [ "${interface_mode}" = "vti" ]; then
			args+=( key "${id}" )
		fi

		# Update the settings when the interface already exists
		if [ -d "/sys/class/net/${intf}" ]; then
			ip link change dev "${intf}" \
				type "${interface_mode}" "${args[@]}" &>/dev/null

		# Create a new interface and bring it up
		else
			log "Creating interface ${intf}"
			ip link add name "${intf}" type "${interface_mode}" "${args[@]}"
		fi

		# Add an IP address
		ip addr flush dev "${intf}"
		ip addr add "${interface_address}" dev "${intf}"

		# Set MTU
		ip link set dev "${intf}" mtu "${interface_mtu}"

		# Bring up the interface
		ip link set dev "${intf}" up
	done < "${VPN_CONFIG}"

	# Delete all other interfaces
	local intf
	for intf in /sys/class/net/gre* /sys/class/net/vti*; do
		intf="$(basename "${intf}")"

		# Ignore a couple of interfaces that cannot be deleted
		case "${intf}" in
			gre0|gretap0)
				continue
				;;
		esac

		# Check if interface is on the list
		local i found="false"
		for i in ${interfaces[@]}; do
			if [ "${intf}" = "${i}" ]; then
				found="true"
				break
			fi
		done

		# Nothing to do if interface was found
		${found} && continue

		# Delete the interface
		log "Deleting interface ${intf}"
		ip link del "${intf}" &>/dev/null
	done
}

main || exit $?
Commit	Line	Data
b8c153bc MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2015 IPFire Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	shopt -s nullglob
	23
	24	VPN_CONFIG="/var/ipfire/vpn/config"
	25
	26	eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
	27
	28	VARS=(
	29	id status name lefthost type ctype x1 x2 x3 leftsubnets
	30	remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
	31	x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
	32	route x26 mode interface_mode interface_address interface_mtu rest
	33	)
	34
	35	log() {
	36	logger -t ipsec "$@"
	37	}
	38
	39	main() {
b8c153bc MT	40	# Register local variables
	41	local "${VARS[@]}"
	42	local action
	43
	44	local interfaces=()
	45
	46	while IFS="," read -r "${VARS[@]}"; do
	47	# Check if the connection is enabled
	48	[ "${status}" = "on" ] \|\| continue
	49
	50	# Check if this a net-to-net connection
	51	[ "${type}" = "net" ] \|\| continue
	52
	53	# Determine the interface name
	54	case "${interface_mode}" in
	55	gre\|vti)
	56	local intf="${interface_mode}${id}"
	57	;;
	58	*)
	59	continue
	60	;;
	61	esac
	62
	63	# Add the interface to the list of all interfaces
	64	interfaces+=( "${intf}" )
	65
	66	local args=(
	67	"local" "${VPN_IP}"
05af70c2	68	"remote" "${righthost}"
b8c153bc MT	69	"ttl" "255"
	70	)
	71
	72	# Add key for VTI
	73	if [ "${interface_mode}" = "vti" ]; then
	74	args+=( key "${id}" )
	75	fi
	76
	77	# Update the settings when the interface already exists
	78	if [ -d "/sys/class/net/${intf}" ]; then
	79	ip link change dev "${intf}" \
	80	type "${interface_mode}" "${args[@]}" &>/dev/null
	81
	82	# Create a new interface and bring it up
	83	else
	84	log "Creating interface ${intf}"
	85	ip link add name "${intf}" type "${interface_mode}" "${args[@]}"
	86	fi
	87
	88	# Add an IP address
	89	ip addr flush dev "${intf}"
	90	ip addr add "${interface_address}" dev "${intf}"
	91
	92	# Set MTU
	93	ip link set dev "${intf}" mtu "${interface_mtu}"
	94
	95	# Bring up the interface
	96	ip link set dev "${intf}" up
	97	done < "${VPN_CONFIG}"
	98
	99	# Delete all other interfaces
	100	local intf
	101	for intf in /sys/class/net/gre* /sys/class/net/vti*; do
	102	intf="$(basename "${intf}")"
	103
	104	# Ignore a couple of interfaces that cannot be deleted
	105	case "${intf}" in
	106	gre0\|gretap0)
	107	continue
	108	;;
	109	esac
	110
	111	# Check if interface is on the list
	112	local i found="false"
	113	for i in ${interfaces[@]}; do
	114	if [ "${intf}" = "${i}" ]; then
	115	found="true"
	116	break
	117	fi
	118	done
	119
	120	# Nothing to do if interface was found
	121	${found} && continue
	122
	123	# Delete the interface
	124	log "Deleting interface ${intf}"
	125	ip link del "${intf}" &>/dev/null
	126	done
	127	}
	128
	129	main \|\| exit $?