[ipfire-2.x.git] / src / scripts / ipsec-interfaces

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2015 IPFire Team                                              #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

shopt -s nullglob

VPN_CONFIG="/var/ipfire/vpn/config"

eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)

VARS=(
	id status name lefthost type ctype x1 x2 x3 leftsubnets
	remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
	x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
	route x26 mode interface_mode interface_address interface_mtu rest
)

log() {
	logger -t ipsec "$@"
}

main() {
	# Register local variables
	local "${VARS[@]}"
	local action

	local interfaces=()
	local vpn_ip

	# Handle %defaultroute
	if [ "${VPN_IP}" = "%defaultroute" ]; then
		if [ -r "/var/ipfire/red/local-ipaddress" ]; then
			vpn_ip="$(</var/ipfire/red/local-ipaddress)"

		elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then
			vpn_ip="${RED_ADDRESS}"

		fi
	else
		vpn_ip="${VPM_IP}"
	fi

	# We are done when IPsec is not enabled
	if [ "${ENABLED}" = "on" ]; then
		while IFS="," read -r "${VARS[@]}"; do
			# Check if the connection is enabled
			[ "${status}" = "on" ] || continue

			# Check if this a net-to-net connection
			[ "${type}" = "net" ] || continue

			# Determine the interface name
			case "${interface_mode}" in
				gre|vti)
					local intf="${interface_mode}${id}"
					;;
				*)
					continue
					;;
			esac

			# Add the interface to the list of all interfaces
			interfaces+=( "${intf}" )

			local args=(
				"local" "${vpn_ip}"
				"remote" "${righthost}"
			)

			case "${interface_mode}" in
				gre)
					# Add TTL
					args+=( "ttl" "255" )
					;;

				vti)
					# Add key for VTI
					args+=( "key" "${id}" )
					;;
			esac

			# Update the settings when the interface already exists
			if [ -d "/sys/class/net/${intf}" ]; then
				ip link change dev "${intf}" \
					type "${interface_mode}" "${args[@]}" &>/dev/null

			# Create a new interface and bring it up
			else
				log "Creating interface ${intf}"
				if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then
					log "Could not create interface ${intf}"
					continue
				fi
			fi

			# Add an IP address
			ip addr flush dev "${intf}"
			ip addr add "${interface_address}" dev "${intf}"

			# Set MTU
			ip link set dev "${intf}" mtu "${interface_mtu}"

			# Bring up the interface
			ip link set dev "${intf}" up
		done < "${VPN_CONFIG}"
	fi

	# Delete all other interfaces
	local intf
	for intf in /sys/class/net/gre* /sys/class/net/vti*; do
		intf="$(basename "${intf}")"

		# Ignore a couple of interfaces that cannot be deleted
		case "${intf}" in
			gre0|gretap0)
				continue
				;;
		esac

		# Check if interface is on the list
		local i found="false"
		for i in ${interfaces[@]}; do
			if [ "${intf}" = "${i}" ]; then
				found="true"
				break
			fi
		done

		# Nothing to do if interface was found
		${found} && continue

		# Delete the interface
		log "Deleting interface ${intf}"
		ip link del "${intf}" &>/dev/null
	done
}

main || exit $?
Commit	Line	Data
b8c153bc MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2015 IPFire Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	shopt -s nullglob
	23
	24	VPN_CONFIG="/var/ipfire/vpn/config"
	25
54bac014	26	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
b8c153bc MT	27	eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
	28
	29	VARS=(
	30	id status name lefthost type ctype x1 x2 x3 leftsubnets
	31	remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
	32	x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
	33	route x26 mode interface_mode interface_address interface_mtu rest
	34	)
	35
	36	log() {
	37	logger -t ipsec "$@"
	38	}
	39
	40	main() {
b8c153bc MT	41	# Register local variables
	42	local "${VARS[@]}"
	43	local action
	44
	45	local interfaces=()
54bac014 MT	46	local vpn_ip
	47
	48	# Handle %defaultroute
	49	if [ "${VPN_IP}" = "%defaultroute" ]; then
	50	if [ -r "/var/ipfire/red/local-ipaddress" ]; then
	51	vpn_ip="$(</var/ipfire/red/local-ipaddress)"
	52
	53	elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then
	54	vpn_ip="${RED_ADDRESS}"
	55
	56	fi
	57	else
	58	vpn_ip="${VPM_IP}"
	59	fi
b8c153bc	60
1a45f9a7 MT	61	# We are done when IPsec is not enabled
	62	if [ "${ENABLED}" = "on" ]; then
	63	while IFS="," read -r "${VARS[@]}"; do
	64	# Check if the connection is enabled
	65	[ "${status}" = "on" ] \|\| continue
	66
	67	# Check if this a net-to-net connection
	68	[ "${type}" = "net" ] \|\| continue
	69
	70	# Determine the interface name
	71	case "${interface_mode}" in
	72	gre\|vti)
	73	local intf="${interface_mode}${id}"
	74	;;
	75	*)
	76	continue
	77	;;
	78	esac
	79
	80	# Add the interface to the list of all interfaces
	81	interfaces+=( "${intf}" )
	82
	83	local args=(
54bac014	84	"local" "${vpn_ip}"
1a45f9a7	85	"remote" "${righthost}"
1a45f9a7 MT	86	)
1a45f9a7 MT	87
6a45a1f1 MT	88	case "${interface_mode}" in
	89	gre)
	90	# Add TTL
	91	args+=( "ttl" "255" )
	92	;;
	93
	94	vti)
	95	# Add key for VTI
	96	args+=( "key" "${id}" )
	97	;;
	98	esac
b8c153bc	99
1a45f9a7 MT	100	# Update the settings when the interface already exists
	101	if [ -d "/sys/class/net/${intf}" ]; then
	102	ip link change dev "${intf}" \
	103	type "${interface_mode}" "${args[@]}" &>/dev/null
b8c153bc	104
1a45f9a7 MT	105	# Create a new interface and bring it up
	106	else
	107	log "Creating interface ${intf}"
3dc21d43 MT	108	if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then
	109	log "Could not create interface ${intf}"
	110	continue
	111	fi
1a45f9a7 MT	112	fi
	113
	114	# Add an IP address
	115	ip addr flush dev "${intf}"
	116	ip addr add "${interface_address}" dev "${intf}"
	117
	118	# Set MTU
	119	ip link set dev "${intf}" mtu "${interface_mtu}"
b8c153bc	120
1a45f9a7 MT	121	# Bring up the interface
	122	ip link set dev "${intf}" up
	123	done < "${VPN_CONFIG}"
	124	fi
b8c153bc MT	125
	126	# Delete all other interfaces
	127	local intf
	128	for intf in /sys/class/net/gre* /sys/class/net/vti*; do
	129	intf="$(basename "${intf}")"
	130
	131	# Ignore a couple of interfaces that cannot be deleted
	132	case "${intf}" in
	133	gre0\|gretap0)
	134	continue
	135	;;
	136	esac
	137
	138	# Check if interface is on the list
	139	local i found="false"
	140	for i in ${interfaces[@]}; do
	141	if [ "${intf}" = "${i}" ]; then
	142	found="true"
	143	break
	144	fi
	145	done
	146
	147	# Nothing to do if interface was found
	148	${found} && continue
	149
	150	# Delete the interface
	151	log "Deleting interface ${intf}"
	152	ip link del "${intf}" &>/dev/null
	153	done
	154	}
	155
	156	main \|\| exit $?