[ipfire-2.x.git] / src / scripts / ipsec-interfaces

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2015 IPFire Team                                              #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

shopt -s nullglob

VPN_CONFIG="/var/ipfire/vpn/config"

eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)

VARS=(
	id status name lefthost type ctype x1 x2 x3 leftsubnets
	remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
	x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
	route x26 mode interface_mode interface_address interface_mtu rest
)

log() {
	logger -t ipsec "$@"
}

main() {
	# We are done when IPsec is not enabled
	[ "${ENABLED}" = "on" ] || exit 0

	# Register local variables
	local "${VARS[@]}"
	local action

	local interfaces=()

	while IFS="," read -r "${VARS[@]}"; do
		# Check if the connection is enabled
		[ "${status}" = "on" ] || continue

		# Check if this a net-to-net connection
		[ "${type}" = "net" ] || continue

		# Determine the interface name
		case "${interface_mode}" in
			gre|vti)
				local intf="${interface_mode}${id}"
				;;
			*)
				continue
				;;
		esac

		# Add the interface to the list of all interfaces
		interfaces+=( "${intf}" )

		local args=(
			"local" "${VPN_IP}"
			"remote" "${righthost}"
			"ttl" "255"
		)

		# Add key for VTI
		if [ "${interface_mode}" = "vti" ]; then
			args+=( key "${id}" )
		fi

		# Update the settings when the interface already exists
		if [ -d "/sys/class/net/${intf}" ]; then
			ip link change dev "${intf}" \
				type "${interface_mode}" "${args[@]}" &>/dev/null

		# Create a new interface and bring it up
		else
			log "Creating interface ${intf}"
			ip link add name "${intf}" type "${interface_mode}" "${args[@]}"
		fi

		# Add an IP address
		ip addr flush dev "${intf}"
		ip addr add "${interface_address}" dev "${intf}"

		# Set MTU
		ip link set dev "${intf}" mtu "${interface_mtu}"

		# Bring up the interface
		ip link set dev "${intf}" up
	done < "${VPN_CONFIG}"

	# Delete all other interfaces
	local intf
	for intf in /sys/class/net/gre* /sys/class/net/vti*; do
		intf="$(basename "${intf}")"

		# Ignore a couple of interfaces that cannot be deleted
		case "${intf}" in
			gre0|gretap0)
				continue
				;;
		esac

		# Check if interface is on the list
		local i found="false"
		for i in ${interfaces[@]}; do
			if [ "${intf}" = "${i}" ]; then
				found="true"
				break
			fi
		done

		# Nothing to do if interface was found
		${found} && continue

		# Delete the interface
		log "Deleting interface ${intf}"
		ip link del "${intf}" &>/dev/null
	done
}

main || exit $?
Commit	Line	Data
b8c153bc MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2015 IPFire Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	shopt -s nullglob
	23
	24	VPN_CONFIG="/var/ipfire/vpn/config"
	25
	26	eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
	27
	28	VARS=(
	29	id status name lefthost type ctype x1 x2 x3 leftsubnets
	30	remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
	31	x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
	32	route x26 mode interface_mode interface_address interface_mtu rest
	33	)
	34
	35	log() {
	36	logger -t ipsec "$@"
	37	}
	38
	39	main() {
a56357b8 MT	40	# We are done when IPsec is not enabled
	41	[ "${ENABLED}" = "on" ] \|\| exit 0
	42
b8c153bc MT	43	# Register local variables
	44	local "${VARS[@]}"
	45	local action
	46
	47	local interfaces=()
	48
	49	while IFS="," read -r "${VARS[@]}"; do
	50	# Check if the connection is enabled
	51	[ "${status}" = "on" ] \|\| continue
	52
	53	# Check if this a net-to-net connection
	54	[ "${type}" = "net" ] \|\| continue
	55
	56	# Determine the interface name
	57	case "${interface_mode}" in
	58	gre\|vti)
	59	local intf="${interface_mode}${id}"
	60	;;
	61	*)
	62	continue
	63	;;
	64	esac
	65
	66	# Add the interface to the list of all interfaces
	67	interfaces+=( "${intf}" )
	68
	69	local args=(
	70	"local" "${VPN_IP}"
05af70c2	71	"remote" "${righthost}"
b8c153bc MT	72	"ttl" "255"
	73	)
	74
	75	# Add key for VTI
	76	if [ "${interface_mode}" = "vti" ]; then
	77	args+=( key "${id}" )
	78	fi
	79
	80	# Update the settings when the interface already exists
	81	if [ -d "/sys/class/net/${intf}" ]; then
	82	ip link change dev "${intf}" \
	83	type "${interface_mode}" "${args[@]}" &>/dev/null
	84
	85	# Create a new interface and bring it up
	86	else
	87	log "Creating interface ${intf}"
	88	ip link add name "${intf}" type "${interface_mode}" "${args[@]}"
	89	fi
	90
	91	# Add an IP address
	92	ip addr flush dev "${intf}"
	93	ip addr add "${interface_address}" dev "${intf}"
	94
	95	# Set MTU
	96	ip link set dev "${intf}" mtu "${interface_mtu}"
	97
	98	# Bring up the interface
	99	ip link set dev "${intf}" up
	100	done < "${VPN_CONFIG}"
	101
	102	# Delete all other interfaces
	103	local intf
	104	for intf in /sys/class/net/gre* /sys/class/net/vti*; do
	105	intf="$(basename "${intf}")"
	106
	107	# Ignore a couple of interfaces that cannot be deleted
	108	case "${intf}" in
	109	gre0\|gretap0)
	110	continue
	111	;;
	112	esac
	113
	114	# Check if interface is on the list
	115	local i found="false"
	116	for i in ${interfaces[@]}; do
	117	if [ "${intf}" = "${i}" ]; then
	118	found="true"
	119	break
	120	fi
	121	done
	122
	123	# Nothing to do if interface was found
	124	${found} && continue
	125
	126	# Delete the interface
	127	log "Deleting interface ${intf}"
	128	ip link del "${intf}" &>/dev/null
	129	done
	130	}
	131
	132	main \|\| exit $?