X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=src%2Fscripts%2Fvpn-watch;h=08d562be8499bb44c75b31c2e60357625fd1649d;hp=70345dbccbaac77832875433661f014a5c431940;hb=af0e9924804e241452f2efbb2e12ca7dacf8385a;hpb=1d4b4bae1effccc2c645238bf300c73b4ff21029 diff --git a/src/scripts/vpn-watch b/src/scripts/vpn-watch index 70345dbccb..08d562be84 100755 --- a/src/scripts/vpn-watch +++ b/src/scripts/vpn-watch @@ -1,181 +1,68 @@ -#!/bin/sh -# IPsec startup and shutdown script -# Copyright (C) 1998, 1999, 2001 Henry Spencer. -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: setup.in,v 1.122.6.3 2006/10/26 23:54:32 paul Exp $ -# -# ipsec init.d script for starting and stopping -# the IPsec security subsystem (KLIPS and Pluto). -# -# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec) -# and is also accessible as "ipsec setup" (the preferred route for human -# invocation). -# -# The startup and shutdown times are a difficult compromise (in particular, -# it is almost impossible to reconcile them with the insanely early/late -# times of NFS filesystem startup/shutdown). Startup is after startup of -# syslog and pcmcia support; shutdown is just before shutdown of syslog. -# -# chkconfig: 2345 47 76 -# description: IPsec provides encrypted and authenticated communications; \ -# KLIPS is the kernel half of it, Pluto is the user-level management daemon. +#!/usr/bin/perl +################################################## +##### VPN-Watch.pl Version 0.4a ##### +################################################## +# # +# VPN-Watch is part of the IPFire Firewall # +# # +################################################## + +use strict; + +require '/var/ipfire/general-functions.pl'; +my @vpnsettings; +my $i = 0; +my $file = "/var/run/vpn-watch.pid"; +my $debug = 0; + +if ( -e $file ){ + logger("There my be another vpn-watch runnning because $file exists, vpn-watch will try kill the process."); + open(FILE, "<$file"); + my $PID = ; + close(FILE); + system("kill -9 $PID"); + } + +system("echo $$ > $file"); + +while ( $i == 0){ + if ($debug){logger("We will wait 300 seconds before next action.");} + sleep(300); + + if (open(FILE, "<${General::swroot}/vpn/config")) { + @vpnsettings = ; + close(FILE); + unless(@vpnsettings) {exit 1;} + } + +foreach (@vpnsettings){ + my @settings = split(/,/,$_); + + if ($settings[27] ne 'RED'){next;} + if ($settings[4] ne 'net'){next;} + if ($settings[1] ne 'on'){next;}chomp($settings[29]); + if ($settings[29] ne 'on'){next;} + + my $remotehostname = $settings[11]; + + if ($debug){logger("Checking connection to $remotehostname.");} + + my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip); + if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}} + my $connected= `ipsec whack --status | grep $remoteip`; + my $established= `ipsec whack --status | grep '$settings[2]' | grep 'IPsec SA established'`; + + if ( $established eq '' || $connected eq '' ){ + logger("Remote IP for host $remotehostname has changed or no connection is established, restarting connection to $remoteip."); + system("/usr/local/bin/ipsecctrl S $settings[0]"); + last; #all connections will reloaded + } + } + if ($debug){logger("All connections may be fine nothing was done.");} +} + +sub logger { + my $log = shift; + system("logger -t vpnwatch \"$log\""); +} -me='ipsec setup' # for messages - -# where the private directory and the config files are -IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}" -IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}" -IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}" -IPSEC_CONFS="${IPSEC_CONFS-/etc}" - -if test " $IPSEC_DIR" = " " # if we were not called by the ipsec command -then - # we must establish a suitable PATH ourselves - PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin - export PATH - - IPSEC_DIR="$IPSEC_LIBDIR" - export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR -fi - -# Check that the ipsec command is available. -found= -for dir in `echo $PATH | tr ':' ' '` -do - if test -f $dir/ipsec -a -x $dir/ipsec - then - found=yes - break # NOTE BREAK OUT - fi -done -if ! test "$found" -then - echo "cannot find ipsec command -- \`$1' aborted" | - logger -s -p daemon.error -t ipsec_setup - exit 1 -fi - -# accept a few flags - -export IPSEC_setupflags -IPSEC_setupflags="" - -config="" - -for dummy -do - case "$1" in - --showonly|--show) IPSEC_setupflags="$1" ;; - --config) config="--config $2" ; shift ;; - *) break ;; - esac - shift -done - - -# Pick up IPsec configuration (until we have done this, successfully, we -# do not know where errors should go, hence the explicit "daemon.error"s.) -# Note the "--export", which exports the variables created. -eval `ipsec _confread $config --optional --varprefix IPSEC --export --type config setup` - -if test " $IPSEC_confreadstatus" != " " -then - case $1 in - stop|--stop|_autostop) - echo "$IPSEC_confreadstatus -- \`$1' may not work" | - logger -s -p daemon.error -t ipsec_setup;; - - *) echo "$IPSEC_confreadstatus -- \`$1' aborted" | - logger -s -p daemon.error -t ipsec_setup; - exit 1;; - esac -fi - -IPSEC_confreadsection=${IPSEC_confreadsection:-setup} -export IPSEC_confreadsection - -IPSECsyslog=${IPSECsyslog-daemon.error} -export IPSECsyslog - -# misc setup -umask 022 - -mkdir -p /var/run/pluto - - -# do it -case "$1" in - start|--start|stop|--stop|_autostop|_autostart) - wanttodo=$1 - if test " `id -u`" != " 0" - then - echo "permission denied (must be superuser)" | - logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 - exit 1 - fi - tmp=/var/run/pluto/ipsec_setup.st - outtmp=/var/run/pluto/ipsec_setup.out - ( - ipsec _realsetup $1 - echo "$?" >$tmp - ) > ${outtmp} 2>&1 - st=$? - if test -f $tmp - then - st=`cat $tmp` - rm -f $tmp - fi - if [ -f ${outtmp} ]; then - cat ${outtmp} | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 - rm -f ${outtmp} - fi - if [ "$wanttodo" = "start" -o "$wanttodo" = "--start" -o "$wanttodo" = "_autostart" ]; then - sleep 20 && chown root:nobody /var/run/pluto -R && chmod 770 /var/run/pluto -R && ln -f /var/run/pluto/pluto.pid /var/run/pluto.pid 2>&1 & - fi - exit $st - ;; - - restart|--restart|force-reload) - $0 $IPSEC_setupflags stop - $0 $IPSEC_setupflags start - ;; - - _autorestart) # for internal use only - $0 $IPSEC_setupflags _autostop - $0 $IPSEC_setupflags _autostart - ;; - - status|--status) - ipsec _realsetup $1 - exit - ;; - - --version) - echo "$me $IPSEC_VERSION" - exit 0 - ;; - - --help) - echo "Usage: $me [ --showonly ] {--start|--stop|--restart}" - echo " $me --status" - exit 0 - ;; - - *) - echo "Usage: $me [ --showonly ] {--start|--stop|--restart}" - echo " $me --status" - exit 2 -esac - -exit 0