[people/ms/network.git] / src / functions / functions.ip-tunnel

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012-2013  IPFire Network Development Team                    #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

IP_TUNNEL_MODES="gre gretap sit vti"

ip_tunnel_protocol_to_name() {
	local protocol="${1}"

	case "${protocol}" in
		gre)
			print "Generic Routing Encapsulation"
			;;
		sit)
			print "Simple Internet Transition"
			;;
		vti)
			print "Virtual Tunnel Interface"
			;;
		*)
			print "${protocol}"
			;;
	esac
}

# This function converts our modes into the type
# the iproute2 tool uses
ip_tunnel_convert_mode_to_iproute2_mode() {
	local mode=${1}
	local protocol=${2}

	if ! isset mode || ! isset protocol; then
		log ERROR "Did not get mode and/or protocol"
		return ${EXIT_ERROR}
	fi

	if [[ "${protocol}" = "ipv4" ]]; then
		# When we use IPv4 we can use our modes
		echo "${mode}"
	fi

	if [[ "${protocol}" = "ipv6" ]]; then
		# When we use IPv6 we have to convert
		case "${mode}" in
			"vti")
				echo "vti6"
				;;
			"gre")
				echo "ip6gre"
				;;
			"gretap")
				echo "ip6gretap"
				;;
		esac
	fi
}

ip_tunnel_add() {
	local device="${1}"
	shift

	local mode
	local ttl=255

	local address
	local remote_address
	local local_address

	local ikey
	local okey

	while [ $# -gt 0 ]; do
		case "${1}" in
			--address=*)
				address="$(cli_get_val "${1}")"

				# Validate input
				if ! isset address || ! mac_is_valid "${address}"; then
					error "Invalid MAC address: ${address}"
					return ${EXIT_ERROR}
				fi
				;;
			--mode=*)
				mode="$(cli_get_val "${1}")"
				;;
			--ttl=*)
				ttl="$(cli_get_val "${1}")"
				;;
			--remote-address=*)
				remote_address="$(cli_get_val "${1}")"
				;;
			--local-address=*)
				local_address="$(cli_get_val "${1}")"
				;;

			# Keys for VTI
			--ikey=*)
				ikey="$(cli_get_val "${1}")"
				;;
			--okey=*)
				okey="$(cli_get_val "${1}")"
				;;
		esac
		shift
	done

	if ! isset mode; then
		error "--mode= is not set. Must be one of ${IP_TUNNEL_MODES}"
		return ${EXIT_ERROR}
	fi

	if ! isoneof mode ${IP_TUNNEL_MODES}; then
		error "Invalid mode: ${mode}"
		return ${EXIT_ERROR}
	fi

	# We cannot mix IPv6 and IPv4
	if isset local_address && ! ip_protocol_match "${remote_address}" "${local_address}"; then
		log ERROR "Local and remote address are not of the same IP protocol"
		return ${EXIT_ERROR}
	fi

	# ikey and okey must be set for VTI devices
	if [ "${mode}" = "vti" ] && (! isset ikey || ! isset okey); then
		error "--ikey= and --okey= must be set for VTI device"
		return ${EXIT_ERROR}
	fi

	# Custom checks for certain modes
	case "${mode}" in
		gretap)
			# Generate a random MAC address if none was passed
			if ! isset address; then
				address="$(mac_generate)"
			fi
			;;
	esac

	# If TTL is set, make sure it is an integer.
	if isset ttl && ! isinteger ttl; then
		error "TTL must be an integer: ${ttl}"
		return ${EXIT_ERROR}
	fi

	# Determine the mode based on the IP protocol
	local remote_address_protocol="$(ip_detect_protocol "${remote_address}")"
	mode=$(ip_tunnel_convert_mode_to_iproute2_mode "${mode}" "${remote_address_protocol}")

	local cmd_args=( name "${device}" )

	if isset address; then
		cmd_args=( "${cmd_args[@]}" "address" "${address}" )
	fi

	# Mode
	cmd_args=( "${cmd_args[@]}" "type" "${mode}" )

	# Apply TTL if a value has been set.
	if isset ttl; then
		cmd_args=( "${cmd_args[@]}" "ttl" "${ttl}" )
	fi

	# Apply local address if a value has been set.
	if isset local_address; then
		cmd_args=( "${cmd_args[@]}" "local" "${local_address}" )
	fi

	# Apply remote address if a value has been set.
	if isset remote_address; then
		cmd_args=( "${cmd_args[@]}" "remote" "${remote_address}" )
	fi

	# Add ikey and okey for VTI devices
	if [ "${mode}" = "vti" ]; then
		cmd_args=( "${cmd_args[@]}" "ikey" "${ikey}" "okey" "${okey}" )
	fi

	log DEBUG "Creating tunnel device '${device}' (mode=${mode})..."

	# Create the device.
	if ! cmd ip link add "${cmd_args[@]}"; then
		error "Could not create tunnel device ${device}"
		return ${EXIT_ERROR}
	fi

	# Disable policy lookups for VTI devices
	if [ "${mode}" = "vti" ]; then
		sysctl_set "net.ipv4.conf.${device}.disable_policy" "1"
	fi

	return ${EXIT_OK}
}

ip_tunnel_del() {
	device_delete "$@"
}

ip_tunnel_change() {
	local device="${1}"
	shift

	if ! device_exists "${device}"; then
		log ERROR "No such device: ${device}"
		return ${EXIT_ERROR}
	fi

	# Determine the device type
	local type="$(device_tunnel_get_type ${device})"

	local local
	local remote

	while [ $# -gt 0 ]; do
		case "${1}" in
			--local=*)
				local="$(cli_get_val "${1}")"

				if ! ip_is_valid "${local}"; then
					error "Invalid IP address for --local: ${local}"
					return ${EXIT_ERROR}
				fi

				if ! isoneof "type" gre gre6 vti vti6; then
					log ERROR "Cannot change --local for devices of type ${type}"
					return ${EXIT_ERROR}
				fi
				;;
			--remote=*)
				remote="$(cli_get_val "${1}")"

				if ! ip_is_valid "${remote}"; then
					error "Invalid IP address for --remote: ${remote}"
					return ${EXIT_ERROR}
				fi

				if ! isoneof "type" gre gre6 vti vti6; then
					log ERROR "Cannot change --remote for devices of type ${type}"
					return ${EXIT_ERROR}
				fi
				;;
		esac
		shift
	done

	# XXX If a device is of an IP protocol and the protocol of remote and local
	# have changed, we will need to destroy the interface and recreate it with
	# the correct type

	local cmd_args

	if isset local; then
		cmd_args="${cmd_args} local ${local}"
	fi

	if isset remote; then
		cmd_args="${cmd_args} remote ${remote}"
	fi

	# Exit if there is nothing to do
	if ! isset cmd_args; then
		return ${EXIT_OK}
	fi

	# Run ip command
	cmd ip link change dev "${device}" type "${type}" ${cmd_args}
}
Commit	Line	Data
cccb3a4b MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
9390b61b	5	# Copyright (C) 2012-2013 IPFire Network Development Team #
cccb3a4b MT	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
a1da77dd	22	IP_TUNNEL_MODES="gre gretap sit vti"
cccb3a4b	23
85de251d MT	24	ip_tunnel_protocol_to_name() {
	25	local protocol="${1}"
	26
	27	case "${protocol}" in
	28	gre)
	29	print "Generic Routing Encapsulation"
	30	;;
	31	sit)
	32	print "Simple Internet Transition"
	33	;;
	34	vti)
	35	print "Virtual Tunnel Interface"
	36	;;
	37	*)
	38	print "${protocol}"
	39	;;
	40	esac
	41	}
	42
376629dc JS	43	# This function converts our modes into the type
	44	# the iproute2 tool uses
	45	ip_tunnel_convert_mode_to_iproute2_mode() {
	46	local mode=${1}
	47	local protocol=${2}
	48
	49	if ! isset mode \|\| ! isset protocol; then
	50	log ERROR "Did not get mode and/or protocol"
	51	return ${EXIT_ERROR}
	52	fi
	53
	54	if [[ "${protocol}" = "ipv4" ]]; then
	55	# When we use IPv4 we can use our modes
	56	echo "${mode}"
	57	fi
	58
	59	if [[ "${protocol}" = "ipv6" ]]; then
	60	# When we use IPv6 we have to convert
	61	case "${mode}" in
	62	"vti")
	63	echo "vti6"
	64	;;
	65	"gre")
	66	echo "ip6gre"
a1da77dd MT	67	;;
	68	"gretap")
	69	echo "ip6gretap"
	70	;;
376629dc JS	71	esac
	72	fi
	73	}
	74
1c6a4e30	75	ip_tunnel_add() {
a1da77dd	76	local device="${1}"
cccb3a4b MT	77	shift
cccb3a4b MT	78
1a02da59	79	local mode
ae2c5b2b	80	local ttl=255
cccb3a4b	81
a1da77dd	82	local address
cccb3a4b MT	83	local remote_address
	84	local local_address
	85
1a02da59 MT	86	local ikey
	87	local okey
	88
cccb3a4b MT	89	while [ $# -gt 0 ]; do
cccb3a4b MT	90	case "${1}" in
a1da77dd MT	91	--address=*)
	92	address="$(cli_get_val "${1}")"
	93
	94	# Validate input
	95	if ! isset address \|\| ! mac_is_valid "${address}"; then
	96	error "Invalid MAC address: ${address}"
	97	return ${EXIT_ERROR}
	98	fi
	99	;;
cccb3a4b	100	--mode=*)
2212045f	101	mode="$(cli_get_val "${1}")"
cccb3a4b MT	102	;;
cccb3a4b MT	103	--ttl=*)
2212045f	104	ttl="$(cli_get_val "${1}")"
cccb3a4b	105	;;
cccb3a4b	106	--remote-address=*)
2212045f	107	remote_address="$(cli_get_val "${1}")"
cccb3a4b MT	108	;;
cccb3a4b MT	109	--local-address=*)
2212045f	110	local_address="$(cli_get_val "${1}")"
cccb3a4b	111	;;
1a02da59 MT	112
	113	# Keys for VTI
	114	--ikey=*)
2212045f	115	ikey="$(cli_get_val "${1}")"
1a02da59 MT	116	;;
1a02da59 MT	117	--okey=*)
2212045f	118	okey="$(cli_get_val "${1}")"
1a02da59	119	;;
cccb3a4b MT	120	esac
	121	shift
	122	done
	123
1a02da59 MT	124	if ! isset mode; then
	125	error "--mode= is not set. Must be one of ${IP_TUNNEL_MODES}"
	126	return ${EXIT_ERROR}
	127	fi
	128
	129	if ! isoneof mode ${IP_TUNNEL_MODES}; then
	130	error "Invalid mode: ${mode}"
	131	return ${EXIT_ERROR}
	132	fi
	133
5bbd1fab	134	# We cannot mix IPv6 and IPv4
2a588cab MT	135	if isset local_address && ! ip_protocol_match "${remote_address}" "${local_address}"; then
2a588cab MT	136	log ERROR "Local and remote address are not of the same IP protocol"
5bbd1fab JS	137	return ${EXIT_ERROR}
	138	fi
	139
1a02da59 MT	140	# ikey and okey must be set for VTI devices
	141	if [ "${mode}" = "vti" ] && (! isset ikey \|\| ! isset okey); then
	142	error "--ikey= and --okey= must be set for VTI device"
	143	return ${EXIT_ERROR}
	144	fi
cccb3a4b	145
a1da77dd MT	146	# Custom checks for certain modes
	147	case "${mode}" in
	148	gretap)
	149	# Generate a random MAC address if none was passed
	150	if ! isset address; then
	151	address="$(mac_generate)"
	152	fi
	153	;;
	154	esac
	155
cccb3a4b	156	# If TTL is set, make sure it is an integer.
1a02da59 MT	157	if isset ttl && ! isinteger ttl; then
	158	error "TTL must be an integer: ${ttl}"
	159	return ${EXIT_ERROR}
	160	fi
cccb3a4b	161
a1da77dd MT	162	# Determine the mode based on the IP protocol
	163	local remote_address_protocol="$(ip_detect_protocol "${remote_address}")"
	164	mode=$(ip_tunnel_convert_mode_to_iproute2_mode "${mode}" "${remote_address_protocol}")
	165
	166	local cmd_args=( name "${device}" )
	167
	168	if isset address; then
	169	cmd_args=( "${cmd_args[@]}" "address" "${address}" )
	170	fi
	171
	172	# Mode
	173	cmd_args=( "${cmd_args[@]}" "type" "${mode}" )
cccb3a4b MT	174
	175	# Apply TTL if a value has been set.
	176	if isset ttl; then
a1da77dd	177	cmd_args=( "${cmd_args[@]}" "ttl" "${ttl}" )
cccb3a4b MT	178	fi
cccb3a4b MT	179
eec68f19 MT	180	# Apply local address if a value has been set.
eec68f19 MT	181	if isset local_address; then
a1da77dd	182	cmd_args=( "${cmd_args[@]}" "local" "${local_address}" )
eec68f19 MT	183	fi
eec68f19 MT	184
9390b61b SS	185	# Apply remote address if a value has been set.
9390b61b SS	186	if isset remote_address; then
a1da77dd	187	cmd_args=( "${cmd_args[@]}" "remote" "${remote_address}" )
9390b61b SS	188	fi
9390b61b SS	189
1a02da59 MT	190	# Add ikey and okey for VTI devices
1a02da59 MT	191	if [ "${mode}" = "vti" ]; then
a1da77dd	192	cmd_args=( "${cmd_args[@]}" "ikey" "${ikey}" "okey" "${okey}" )
1a02da59 MT	193	fi
1a02da59 MT	194
cccb3a4b MT	195	log DEBUG "Creating tunnel device '${device}' (mode=${mode})..."
	196
	197	# Create the device.
a1da77dd	198	if ! cmd ip link add "${cmd_args[@]}"; then
1a02da59 MT	199	error "Could not create tunnel device ${device}"
	200	return ${EXIT_ERROR}
	201	fi
ea1857e3 MT	202
	203	# Disable policy lookups for VTI devices
	204	if [ "${mode}" = "vti" ]; then
	205	sysctl_set "net.ipv4.conf.${device}.disable_policy" "1"
	206	fi
	207
	208	return ${EXIT_OK}
cccb3a4b MT	209	}
cccb3a4b MT	210
1c6a4e30	211	ip_tunnel_del() {
21e8d1aa	212	device_delete "$@"
cccb3a4b	213	}
82fac748	214
4f5f487a MT	215	ip_tunnel_change() {
	216	local device="${1}"
	217	shift
	218
	219	if ! device_exists "${device}"; then
	220	log ERROR "No such device: ${device}"
	221	return ${EXIT_ERROR}
	222	fi
	223
	224	# Determine the device type
	225	local type="$(device_tunnel_get_type ${device})"
	226
	227	local local
	228	local remote
	229
	230	while [ $# -gt 0 ]; do
	231	case "${1}" in
	232	--local=*)
	233	local="$(cli_get_val "${1}")"
	234
	235	if ! ip_is_valid "${local}"; then
	236	error "Invalid IP address for --local: ${local}"
	237	return ${EXIT_ERROR}
	238	fi
	239
	240	if ! isoneof "type" gre gre6 vti vti6; then
	241	log ERROR "Cannot change --local for devices of type ${type}"
	242	return ${EXIT_ERROR}
	243	fi
	244	;;
	245	--remote=*)
	246	remote="$(cli_get_val "${1}")"
	247
	248	if ! ip_is_valid "${remote}"; then
	249	error "Invalid IP address for --remote: ${remote}"
	250	return ${EXIT_ERROR}
	251	fi
	252
	253	if ! isoneof "type" gre gre6 vti vti6; then
	254	log ERROR "Cannot change --remote for devices of type ${type}"
	255	return ${EXIT_ERROR}
	256	fi
	257	;;
	258	esac
	259	shift
	260	done
	261
	262	# XXX If a device is of an IP protocol and the protocol of remote and local
	263	# have changed, we will need to destroy the interface and recreate it with
	264	# the correct type
	265
	266	local cmd_args
	267
	268	if isset local; then
	269	cmd_args="${cmd_args} local ${local}"
	270	fi
	271
	272	if isset remote; then
	273	cmd_args="${cmd_args} remote ${remote}"
	274	fi
	275
	276	# Exit if there is nothing to do
	277	if ! isset cmd_args; then
	278	return ${EXIT_OK}
279	fi
280
281	# Run ip command
282	cmd ip link change dev "${device}" type "${type}" ${cmd_args}
283	}