[ipfire-2.x.git] / src / scripts / ipsec-interfaces

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2015 IPFire Team                                              #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

shopt -s nullglob

VPN_CONFIG="/var/ipfire/vpn/config"

eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)

VARS=(
	id status name lefthost type ctype psk local local_id leftsubnets
	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
	route x23 mode interface_mode interface_address interface_mtu rest
)

log() {
	logger -t ipsec "$@"
}

main() {
	# Register local variables
	local "${VARS[@]}"
	local action

	local interfaces=()

	# Compat for older connections
	if [ "${local}" = "off" ]; then
		if [ "${VPN_IP}" = "%defaultroute" ]; then
			local=""
		else
			local="${VPN_IP}"
		fi
	fi

	# Handle %defaultroute
	if [ -z "${local}" ]; then
		if [ -r "/var/ipfire/red/local-ipaddress" ]; then
			local="$(</var/ipfire/red/local-ipaddress)"

		elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then
			local="${RED_ADDRESS}"
		fi
	fi

	# We are done when IPsec is not enabled
	if [ "${ENABLED}" = "on" ]; then
		while IFS="," read -r "${VARS[@]}"; do
			# Check if the connection is enabled
			[ "${status}" = "on" ] || continue

			# Check if this a net-to-net connection
			[ "${type}" = "net" ] || continue

			# Determine the interface name
			case "${interface_mode}" in
				gre|vti)
					local intf="${interface_mode}${id}"
					;;
				*)
					continue
					;;
			esac

			# Add the interface to the list of all interfaces
			interfaces+=( "${intf}" )

			local args=(
				"local" "${local}"
				"remote" "${remote}"
			)

			case "${interface_mode}" in
				gre)
					# Add TTL
					args+=( "ttl" "255" )
					;;

				vti)
					# Add key for VTI
					args+=( "key" "${id}" )
					;;
			esac

			# Update the settings when the interface already exists
			if [ -d "/sys/class/net/${intf}" ]; then
				ip link change dev "${intf}" \
					type "${interface_mode}" "${args[@]}" &>/dev/null

			# Create a new interface and bring it up
			else
				log "Creating interface ${intf}"
				if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then
					log "Could not create interface ${intf}"
					continue
				fi
			fi

			# Add an IP address
			ip addr flush dev "${intf}"
			ip addr add "${interface_address}" dev "${intf}"

			# Set MTU
			ip link set dev "${intf}" mtu "${interface_mtu}"

			# Bring up the interface
			ip link set dev "${intf}" up
		done < "${VPN_CONFIG}"
	fi

	# Delete all other interfaces
	local intf
	for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do
		intf="$(basename "${intf}")"

		# Ignore a couple of interfaces that cannot be deleted
		case "${intf}" in
			gre0|gretap0)
				continue
				;;
		esac

		# Check if interface is on the list
		local i found="false"
		for i in ${interfaces[@]}; do
			if [ "${intf}" = "${i}" ]; then
				found="true"
				break
			fi
		done

		# Nothing to do if interface was found
		${found} && continue

		# Delete the interface
		log "Deleting interface ${intf}"
		ip link del "${intf}" &>/dev/null
	done
}

main || exit $?
Commit	Line	Data
b8c153bc MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2015 IPFire Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	shopt -s nullglob
	23
	24	VPN_CONFIG="/var/ipfire/vpn/config"
	25
54bac014	26	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
b8c153bc MT	27	eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
	28
	29	VARS=(
68263645 MT	30	id status name lefthost type ctype psk local local_id leftsubnets
68263645 MT	31	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
1ca2f88a MT	32	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
1ca2f88a MT	33	route x23 mode interface_mode interface_address interface_mtu rest
b8c153bc MT	34	)
	35
	36	log() {
	37	logger -t ipsec "$@"
	38	}
	39
	40	main() {
b8c153bc MT	41	# Register local variables
	42	local "${VARS[@]}"
	43	local action
	44
	45	local interfaces=()
1ca2f88a MT	46
	47	# Compat for older connections
	48	if [ "${local}" = "off" ]; then
517683ee MT	49	if [ "${VPN_IP}" = "%defaultroute" ]; then
	50	local=""
	51	else
	52	local="${VPN_IP}"
	53	fi
1ca2f88a	54	fi
54bac014 MT	55
54bac014 MT	56	# Handle %defaultroute
1ca2f88a	57	if [ -z "${local}" ]; then
54bac014	58	if [ -r "/var/ipfire/red/local-ipaddress" ]; then
1ca2f88a	59	local="$(</var/ipfire/red/local-ipaddress)"
54bac014 MT	60
54bac014 MT	61	elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then
1ca2f88a	62	local="${RED_ADDRESS}"
54bac014	63	fi
54bac014	64	fi
b8c153bc	65
1a45f9a7 MT	66	# We are done when IPsec is not enabled
	67	if [ "${ENABLED}" = "on" ]; then
	68	while IFS="," read -r "${VARS[@]}"; do
	69	# Check if the connection is enabled
	70	[ "${status}" = "on" ] \|\| continue
	71
	72	# Check if this a net-to-net connection
	73	[ "${type}" = "net" ] \|\| continue
	74
	75	# Determine the interface name
	76	case "${interface_mode}" in
	77	gre\|vti)
	78	local intf="${interface_mode}${id}"
	79	;;
	80	*)
	81	continue
	82	;;
	83	esac
	84
	85	# Add the interface to the list of all interfaces
	86	interfaces+=( "${intf}" )
	87
	88	local args=(
1ca2f88a MT	89	"local" "${local}"
1ca2f88a MT	90	"remote" "${remote}"
1a45f9a7 MT	91	)
1a45f9a7 MT	92
6a45a1f1 MT	93	case "${interface_mode}" in
	94	gre)
	95	# Add TTL
	96	args+=( "ttl" "255" )
	97	;;
	98
	99	vti)
	100	# Add key for VTI
	101	args+=( "key" "${id}" )
	102	;;
	103	esac
b8c153bc	104
1a45f9a7 MT	105	# Update the settings when the interface already exists
	106	if [ -d "/sys/class/net/${intf}" ]; then
	107	ip link change dev "${intf}" \
	108	type "${interface_mode}" "${args[@]}" &>/dev/null
b8c153bc	109
1a45f9a7 MT	110	# Create a new interface and bring it up
	111	else
	112	log "Creating interface ${intf}"
3dc21d43 MT	113	if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then
	114	log "Could not create interface ${intf}"
	115	continue
	116	fi
1a45f9a7 MT	117	fi
	118
	119	# Add an IP address
	120	ip addr flush dev "${intf}"
	121	ip addr add "${interface_address}" dev "${intf}"
	122
	123	# Set MTU
	124	ip link set dev "${intf}" mtu "${interface_mtu}"
b8c153bc	125
1a45f9a7 MT	126	# Bring up the interface
	127	ip link set dev "${intf}" up
	128	done < "${VPN_CONFIG}"
	129	fi
b8c153bc MT	130
	131	# Delete all other interfaces
	132	local intf
c821440c	133	for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do
b8c153bc MT	134	intf="$(basename "${intf}")"
	135
	136	# Ignore a couple of interfaces that cannot be deleted
	137	case "${intf}" in
	138	gre0\|gretap0)
	139	continue
	140	;;
	141	esac
	142
	143	# Check if interface is on the list
	144	local i found="false"
	145	for i in ${interfaces[@]}; do
	146	if [ "${intf}" = "${i}" ]; then
	147	found="true"
	148	break
	149	fi
	150	done
	151
	152	# Nothing to do if interface was found
	153	${found} && continue
	154
	155	# Delete the interface
	156	log "Deleting interface ${intf}"
	157	ip link del "${intf}" &>/dev/null
	158	done
	159	}
	160
	161	main \|\| exit $?