X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=src%2Fscripts%2Fipsec-interfaces;h=0f33eb1519fe59c2f183469b8dc7321ec587944c;hp=da4f6a02f47e7d082d2ece5fcb868210f0b29c91;hb=68263645802e5eb00350fbd50a90fe2583186ec2;hpb=05af70c2f32988cc38f1c50d37e8d191170a26ce diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces index da4f6a02f4..0f33eb1519 100644 --- a/src/scripts/ipsec-interfaces +++ b/src/scripts/ipsec-interfaces @@ -23,13 +23,14 @@ shopt -s nullglob VPN_CONFIG="/var/ipfire/vpn/config" +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) VARS=( - id status name lefthost type ctype x1 x2 x3 leftsubnets - remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12 - x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24 - route x26 mode interface_mode interface_address interface_mtu rest + id status name lefthost type ctype psk local local_id leftsubnets + remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 + x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 + route x23 mode interface_mode interface_address interface_mtu rest ) log() { @@ -37,71 +38,95 @@ log() { } main() { - # We are done when IPsec is not enabled - [ "${ENABLED}" = "on" ] || exit 0 - # Register local variables local "${VARS[@]}" local action local interfaces=() - while IFS="," read -r "${VARS[@]}"; do - # Check if the connection is enabled - [ "${status}" = "on" ] || continue + # Compat for older connections + if [ "${local}" = "off" ]; then + local="" + fi - # Check if this a net-to-net connection - [ "${type}" = "net" ] || continue - - # Determine the interface name - case "${interface_mode}" in - gre|vti) - local intf="${interface_mode}${id}" - ;; - *) - continue - ;; - esac + # Handle %defaultroute + if [ -z "${local}" ]; then + if [ -r "/var/ipfire/red/local-ipaddress" ]; then + local="$(/dev/null - - # Create a new interface and bring it up - else - log "Creating interface ${intf}" - ip link add name "${intf}" type "${interface_mode}" "${args[@]}" - fi + # We are done when IPsec is not enabled + if [ "${ENABLED}" = "on" ]; then + while IFS="," read -r "${VARS[@]}"; do + # Check if the connection is enabled + [ "${status}" = "on" ] || continue + + # Check if this a net-to-net connection + [ "${type}" = "net" ] || continue + + # Determine the interface name + case "${interface_mode}" in + gre|vti) + local intf="${interface_mode}${id}" + ;; + *) + continue + ;; + esac + + # Add the interface to the list of all interfaces + interfaces+=( "${intf}" ) + + local args=( + "local" "${local}" + "remote" "${remote}" + ) + + case "${interface_mode}" in + gre) + # Add TTL + args+=( "ttl" "255" ) + ;; + + vti) + # Add key for VTI + args+=( "key" "${id}" ) + ;; + esac + + # Update the settings when the interface already exists + if [ -d "/sys/class/net/${intf}" ]; then + ip link change dev "${intf}" \ + type "${interface_mode}" "${args[@]}" &>/dev/null + + # Create a new interface and bring it up + else + log "Creating interface ${intf}" + if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then + log "Could not create interface ${intf}" + continue + fi + fi - # Add an IP address - ip addr flush dev "${intf}" - ip addr add "${interface_address}" dev "${intf}" + # Add an IP address + ip addr flush dev "${intf}" + ip addr add "${interface_address}" dev "${intf}" - # Set MTU - ip link set dev "${intf}" mtu "${interface_mtu}" + # Set MTU + ip link set dev "${intf}" mtu "${interface_mtu}" - # Bring up the interface - ip link set dev "${intf}" up - done < "${VPN_CONFIG}" + # Bring up the interface + ip link set dev "${intf}" up + done < "${VPN_CONFIG}" + fi # Delete all other interfaces local intf - for intf in /sys/class/net/gre* /sys/class/net/vti*; do + for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do intf="$(basename "${intf}")" # Ignore a couple of interfaces that cannot be deleted