X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=src%2Fmisc-progs%2Fipsecctrl.c;h=278bacd0b7ac29272a40dc2f4cf21261217a9db9;hp=65a96e01c8945a6eff25f97d7b7af47c0c30dfd6;hb=6cf8bc9161c21dd7c274d09473ab46e3094204ac;hpb=9f0b5c9f4dc586433c8664074fcc46cefda0f666 diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 65a96e01c8..278bacd0b7 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -13,7 +13,9 @@ #include #include #include + #include "setuid.h" +#include "netutil.h" /* This module is responsible for start stop of the vpn system. @@ -42,42 +44,12 @@ void usage() { fprintf (stderr, "\t\tI : Print Statusinfo\n"); } -/* - ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface -*/ -void open_physical (char *interface, int nat_traversal_port) { - char str[STRING_SIZE]; - - // GRE ??? -// sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface); -// safe_system(str); - // ESP -// sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface); -// safe_system(str); - // AH -// sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface); -// safe_system(str); - // IKE - - sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface); - safe_system(str); - sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface); - safe_system(str); - - if (! nat_traversal_port) - return; - - sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port); - safe_system(str); - sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port); - safe_system(str); -} - -void ipsec_norules() { - /* clear input rules */ - safe_system("/sbin/iptables -F IPSECINPUT"); - safe_system("/sbin/iptables -F IPSECFORWARD"); - safe_system("/sbin/iptables -F IPSECOUTPUT"); +static void ipsec_reload() { + /* Re-read all configuration files and secrets and + * reload the daemon (#10339). + */ + safe_system("/usr/sbin/ipsec rereadall >/dev/null 2>&1"); + safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); } /* @@ -144,8 +116,11 @@ void turn_connection_on(char *name, char *type) { "/usr/sbin/ipsec down %s >/dev/null", name); safe_system(command); - // Reload the configuration into the daemon. - safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); + // Reload the IPsec firewall policy + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); + + // Reload the configuration into the daemon (#10339). + ipsec_reload(); // Bring the connection up again. snprintf(command, STRING_SIZE - 1, @@ -169,12 +144,13 @@ void turn_connection_off (char *name) { safe_system(command); // Reload, so the connection is dropped. - safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); + ipsec_reload(); + + // Reload the IPsec firewall policy + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); } int main(int argc, char *argv[]) { - char configtype[STRING_SIZE]; - char redtype[STRING_SIZE] = ""; struct keyvalue *kv = NULL; if (argc < 2) { @@ -183,9 +159,8 @@ int main(int argc, char *argv[]) { } if (!(initsetuid())) exit(1); - - FILE *file = NULL; - + + FILE *file = NULL; if (strcmp(argv[1], "I") == 0) { safe_system("/usr/sbin/ipsec status"); @@ -193,7 +168,7 @@ int main(int argc, char *argv[]) { } if (strcmp(argv[1], "R") == 0) { - safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); + ipsec_reload(); exit(0); } @@ -205,7 +180,7 @@ int main(int argc, char *argv[]) { if (argc == 2) { if (strcmp(argv[1], "D") == 0) { safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1"); - ipsec_norules(); + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); exit(0); } } @@ -227,87 +202,11 @@ int main(int argc, char *argv[]) { exit(0); } - /* read interface settings */ - kv=initkeyvalues(); - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - if (!findkey(kv, "CONFIG_TYPE", configtype)) - { - fprintf(stderr, "Cannot read CONFIG_TYPE\n"); - exit(1); - } - findkey(kv, "RED_TYPE", redtype); - - - /* Loop through the config file to find physical interface that will accept IPSEC */ - int enable_red=0; // states 0: not used - int enable_green=0; // 1: error condition - int enable_orange=0; // 2: good - int enable_blue=0; - char if_red[STRING_SIZE] = ""; - char if_green[STRING_SIZE] = ""; - char if_orange[STRING_SIZE] = ""; - char if_blue[STRING_SIZE] = ""; char s[STRING_SIZE]; - // when RED is up, find interface name in special file - FILE *ifacefile = NULL; - if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) { - if (fgets(if_red, STRING_SIZE, ifacefile)) { - if (if_red[strlen(if_red) - 1] == '\n') - if_red[strlen(if_red) - 1] = '\0'; - } - fclose (ifacefile); - - if (VALID_DEVICE(if_red)) - enable_red++; - } - - // Check if GREEN is enabled. - findkey(kv, "GREEN_DEV", if_green); - if (VALID_DEVICE(if_green)) - enable_green++; - else - fprintf(stderr, "IPSec enabled on green but green interface is invalid or not found\n"); - - // Check if ORANGE is enabled. - findkey(kv, "ORANGE_DEV", if_orange); - if (VALID_DEVICE(if_orange)) - enable_orange++; - else - fprintf(stderr, "IPSec enabled on orange but orange interface is invalid or not found\n"); - - // Check if BLUE is enabled. - findkey(kv, "BLUE_DEV", if_blue); - if (VALID_DEVICE(if_blue)) - enable_blue++; - else - fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n"); - - freekeyvalues(kv); - - // exit if nothing to do - if ((enable_red+enable_green+enable_orange+enable_blue) == 0) - exit(0); - - // open needed ports - if (enable_red > 0) - open_physical(if_red, 4500); - - if (enable_green > 0) - open_physical(if_green, 4500); - - if (enable_orange > 0) - open_physical(if_orange, 4500); - - if (enable_blue > 0) - open_physical(if_blue, 4500); - - // start the system + // start the system if ((argc == 2) && strcmp(argv[1], "S") == 0) { + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); safe_system("/usr/sbin/ipsec restart >/dev/null"); exit(0); }