dist_hooks_zones_SCRIPTS = \
src/hooks/zones/6to4-tunnel \
src/hooks/zones/bridge \
+ src/hooks/zones/ip-tunnel \
src/hooks/zones/modem \
src/hooks/zones/pppoe \
src/hooks/zones/wireless
man/network-vpn.8 \
man/network-vpn-security-policies.8 \
man/network-zone.8 \
- man/network-zone-6to4-tunnel.8 \
man/network-zone-bridge.8 \
man/network-zone-config-pppoe-server.8 \
+ man/network-zone-ip-tunnel.8 \
man/network-zone-modem.8 \
man/network-zone-pppoe.8 \
man/network-zone-wireless.8
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <command><replaceable>NAME</replaceable> pseudo-random-functions <replaceable>[PSEUDO-RANDOM-FUNCTION-LIST|+PSEUDO-RANDOM-FUNCTION...|-PSEUDO-RANDOM-FUNCTION]</replaceable>
+ </command>
+ </term>
+
+ <listitem>
+ <para>
+ This command allows modifying the list of pseudo random functions
+ similar to the <command>ciphers</command> command.
+ </para>
+
+ <para>
+ These functions are used in combination with an AEAD cipher only.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>
<command><replaceable>NAME</replaceable> group-types <replaceable>[GROUP-TYPES-LIST|+GROUP-TYPE ...|-GROUP-TYPE]</replaceable>
+++ /dev/null
-<?xml version="1.0"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-<refentry id="network-zone-6to4-tunnel">
- <refentryinfo>
- <title>network-zone-6to4-tunnel</title>
- <productname>network</productname>
-
- <authorgroup>
- <author>
- <contrib>Developer</contrib>
- <firstname>Michael</firstname>
- <surname>Tremer</surname>
- <email>michael.tremer@ipfire.org</email>
- </author>
- </authorgroup>
- </refentryinfo>
-
- <refmeta>
- <refentrytitle>network-zone-6to4-tunnel</refentrytitle>
- <manvolnum>8</manvolnum>
- </refmeta>
-
- <refnamediv>
- <refname>network-zone-6to4-tunnel</refname>
- <refpurpose>Network Configuration Control Program</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>network zone new <replaceable>ZONE</replaceable> 6to4-tunnel ...</command>
- </cmdsynopsis>
-
- <cmdsynopsis>
- <command>network zone <replaceable>ZONE</replaceable> edit ...</command>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1>
- <title>Description</title>
-
- <para>
- The 6to4-tunnel hook is used to create IPv6 tunnels over IPv4 networks
- where the provider does not provide native IPv6.
- </para>
- <para>
- Hurricane Electric offers a free tunnelbroker service on
- http://www.tunnelbroker.net, that can be used with this hook.
- </para>
- </refsect1>
-
- <refsect1>
- <title>Options</title>
-
- <para>
- The following options are understood:
- </para>
-
- <variablelist>
- <varlistentry>
- <term>
- <option>--server-address=<replaceable>ADDRESS</replaceable></option>
- </term>
-
- <listitem>
- <para>
- The address of the tunnel endpoint server.
- </para>
- <para>
- This is the IPv4 address of the server, to where
- the tunnel is created.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--local-ipv4-address=<replaceable>ADDRESS</replaceable></option>
- </term>
-
- <listitem>
- <para>
- The local IPv4 address that is used to connect to
- the server.
- </para>
- <para>
- Attention! In case your local tunnel endpoint is behind
- a NAT, you need to configure the internet IP address instead
- of the public IP address.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--local-ipv6-address=<replaceable>ADDRESS</replaceable></option>
- </term>
-
- <listitem>
- <para>
- The local IPv6 address of your tunnel.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- <para>
- Optional arguments, that can be used to automatically update the
- tunnel endpoint IPv4 address with tunnelbroker.net:
- </para>
-
- <variablelist>
- <varlistentry>
- <term>
- <option>--auto-update-endpoint=[<emphasis>false</emphasis>|true]</option>
- </term>
-
- <listitem>
- <para>
- Determines whether the tunnel endpoint IPv4 address should
- be automatically updated or not.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--username=<replaceable>USERNAME</replaceable></option>
- </term>
-
- <listitem>
- <para>
- The username of your tunnelbroker.net account.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--password=<replaceable>PASSWORD</replaceable></option>
- </term>
-
- <listitem>
- <para>
- The password of your tunnelbroker.net account.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--tunnel-id=<replaceable>N</replaceable></option>
- </term>
-
- <listitem>
- <para>
- The ID of this tunnel, given to you by tunnelbroker.net.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1>
- <title>See Also</title>
-
- <para>
- <citerefentry>
- <refentrytitle>network</refentrytitle>
- <manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>network-zone</refentrytitle>
- <manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-</refentry>
--- /dev/null
+<?xml version="1.0"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<refentry id="network-zone-ip-tunnel">
+ <refentryinfo>
+ <title>network-zone-ip-tunnel</title>
+ <productname>network</productname>
+
+ <authorgroup>
+ <author>
+ <contrib>Developer</contrib>
+ <firstname>Michael</firstname>
+ <surname>Tremer</surname>
+ <email>michael.tremer@ipfire.org</email>
+ </author>
+ </authorgroup>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>network-zone-ip-tunnel</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>network-zone-ip-tunnel</refname>
+ <refpurpose>Network Configuration Control Program</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>network zone new <replaceable>ZONE</replaceable> ip-tunnel ...</command>
+ </cmdsynopsis>
+
+ <cmdsynopsis>
+ <command>network zone <replaceable>ZONE</replaceable> edit ...</command>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para>
+ The ip-tunnel hook is used to create IP tunnels that use protocols
+ like GRE to encapsulate IP packets.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>Options</title>
+
+ <para>
+ The following options are understood:
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>--mode=<replaceable>MODE</replaceable></option>
+ </term>
+
+ <listitem>
+ <para>
+ Sets the protocol that is being used to encapsulate
+ IP packets.
+ Currently only <replaceable>gre</replaceable> is supported.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>--peer=<replaceable>PEER</replaceable></option>
+ </term>
+
+ <listitem>
+ <para>
+ The address of the peer that terminates the remote
+ end of this tunnel.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>--local-address=<replaceable>LOCAL-ADDRESS</replaceable></option>
+ </term>
+
+ <listitem>
+ <para>
+ The local IP address the tunnel originates from.
+ </para>
+
+ <para>
+ This is optional and if unset a useful default will be used.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+
+ <para>
+ <citerefentry>
+ <refentrytitle>network</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>network-zone</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+</refentry>
list_match ${proto} ${IP_SUPPORTED_PROTOCOLS}
}
+# Returns true if all IP addresses are of the same protocol
+ip_protocol_match() {
+ local address="${1}"
+ shift
+
+ # Get protocol of the first address
+ local protocol="$(ip_detect_protocol "${address}")"
+
+ # Check if all other addresses match the protocol
+ for address in $@; do
+ local p="$(ip_detect_protocol "${address}")"
+
+ if [ "${p}" != "${protocol}" ]; then
+ return ${EXIT_FALSE}
+ fi
+ done
+
+ return ${EXIT_TRUE}
+}
+
ip_is_valid() {
local address=${1}
assert isset address
IP_TUNNEL_MODES="gre sit vti"
+ip_tunnel_protocol_to_name() {
+ local protocol="${1}"
+
+ case "${protocol}" in
+ gre)
+ print "Generic Routing Encapsulation"
+ ;;
+ sit)
+ print "Simple Internet Transition"
+ ;;
+ vti)
+ print "Virtual Tunnel Interface"
+ ;;
+ *)
+ print "${protocol}"
+ ;;
+ esac
+}
+
# This function converts our modes into the type
# the iproute2 tool uses
ip_tunnel_convert_mode_to_iproute2_mode() {
return ${EXIT_ERROR}
fi
- # Detect the IP protocol, which is important to decide which mode we have to use
- local remote_address_protocol="$(ip_detect_protocol "${remote_address}")"
-
- # If we could not detect the IP protocol something with
- # ${remote_address} is wrong
- if ! isset remote_address_protocol; then
- log ERROR "Could not determine remote address IP protocol"
- return ${EXIT_ERROR}
- fi
-
# We cannot mix IPv6 and IPv4
- if [[ "${remote_address_protocol}" != \
- "$(ip_detect_protocol "${local_address}")" ]] ; then
- log ERROR "Local and remote address\
- are not from the same IP protocol"
+ if isset local_address && ! ip_protocol_match "${remote_address}" "${local_address}"; then
+ log ERROR "Local and remote address are not of the same IP protocol"
return ${EXIT_ERROR}
fi
fi
# Determine the mode based on the IP protocol
+ local remote_address_protocol="$(ip_detect_protocol "${remote_address}")"
mode=$(ip_tunnel_convert_mode_to_iproute2_mode "${mode}" "${remote_address_protocol}")
log DEBUG "Creating tunnel device '${device}' (mode=${mode})..."
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2010 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-. /usr/lib/network/header-zone
-
-HOOK_SETTINGS="HOOK SERVER_ADDRESS LOCAL_ADDRESS LOCAL_ADDRESS6 TUNNEL_ID"
-HOOK_SETTINGS="${HOOK_SETTINGS} AUTO_UPDATE_ENDPOINT USERNAME PASSWORD"
-
-# The IPv4 address of the tunnel endpoint where to connect to.
-SERVER_ADDRESS=
-
-# The local IPv4 address of the tunnel endpoint.
-LOCAL_ADDRESS=
-
-# The address that is assigned to the tunnel device (with prefix).
-LOCAL_ADDRESS6=
-
-# True if the endpoint IP address should be automatically
-# updated each time the tunnel connects.
-AUTO_UPDATE_ENDPOINT="false"
-
-# The ID of the tunnel.
-TUNNEL_ID=
-
-# Credentials for the tunnelbroker.net service.
-USERNAME=
-PASSWORD=
-
-hook_check_settings() {
- assert isset SERVER_ADDRESS
- assert isset LOCAL_ADDRESS
- assert isset LOCAL_ADDRESS6
- # LOCAL_ADDRESS6 needs to have a prefix
- assert ipv6_net_is_valid LOCAL_ADDRESS6
-
- if enabled AUTO_UPDATE_ENDPOINT; then
- assert isset TUNNEL_ID
- assert isset USERNAME
- assert isset PASSWORD
- fi
-}
-
-hook_parse_cmdline() {
- local value
-
- while [ $# -gt 0 ]; do
- case "${1}" in
- --server-address=*)
- SERVER_ADDRESS=$(cli_get_val "${1}")
- ;;
- --local-ipv4-address=*)
- LOCAL_ADDRESS=$(cli_get_val "${1}")
- ;;
- --local-ipv6-address=*)
- LOCAL_ADDRESS6=$(cli_get_val "${1}")
- ;;
- --auto-update-endpoint=*)
- local val="$(cli_get_val "${1}")"
-
- if enabled val; then
- AUTO_UPDATE_ENDPOINT="true"
- else
- AUTO_UPADTE_ENDPOINT="false"
- fi
- ;;
- --tunnel-id=*)
- TUNNEL_ID="$(cli_get_val "${1}")"
- ;;
- --username=*)
- USERNAME="$(cli_get_val "${1}")"
- ;;
- --password=*)
- PASSWORD="$(cli_get_val "${1}")"
- ;;
- *)
- echo "Unknown option: ${1}" >&2
- exit ${EXIT_ERROR}
- ;;
- esac
- shift
- done
-}
-
-hook_up() {
- local zone=${1}
- assert isset zone
-
- # Read configuration options.
- zone_settings_read "${zone}"
-
- if enabled AUTO_UPDATE_ENDPOINT; then
- log DEBUG "Updating tunnel endpoint"
-
- he_tunnelbroker_endpoint_update \
- --username="${USERNAME}" \
- --password="${PASSWORD}" \
- --tunnel-id="${TUNNEL_ID}"
- fi
-
- ip_tunnel_add ${zone} --ttl=255 \
- --remote-address="${SERVER_ADDRESS}" \
- --local-address="${LOCAL_ADDRESS}"
-
- # Bring up the device.
- device_set_up ${zone}
-
- # Assign IPv6 address.
- ip_address_add ${zone} ${LOCAL_ADDRESS6}
-
- # Update routing information.
- db_set "${zone}/ipv6/type" "${HOOK}"
- db_set "${zone}/ipv6/local-ip-address" "${LOCAL_ADDRESS6}"
- db_set "${zone}/ipv6/active" 1
-
- # Update the routing database.
- routing_update ${zone} ipv6
- routing_default_update
-
- exit ${EXIT_OK}
-}
-
-hook_down() {
- local zone=${1}
- assert isset zone
-
- # Remove everything from the routing db.
- db_delete "${zone}/ipv6"
-
- routing_update ${zone} ipv6
- routing_default_update
-
- # Remove the tunnel device.
- ip_tunnel_del ${zone}
-
- exit ${EXIT_OK}
-}
-
-hook_status() {
- local zone=${1}
- assert isset zone
-
- cli_device_headline ${zone}
-
- zone_settings_read "${zone}"
-
- local server_line="${SERVER_ADDRESS}"
- local server_hostname=$(dns_get_hostname ${SERVER_ADDRESS})
- if [ -n "${server_hostname}" ]; then
- server_line="${server_line} (Hostname: ${server_hostname})"
- fi
-
- cli_headline 2 "Configuration"
- cli_print_fmt1 2 "Server" "${server_line}"
- cli_print_fmt1 2 "Endpoint IPv4 address" "${LOCAL_ADDRESS}"
- cli_print_fmt1 2 "Endpoint IPv6 address" "${LOCAL_ADDRESS6}"
- cli_space
-
- exit ${EXIT_OK}
-}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2010 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+. /usr/lib/network/header-zone
+
+SUPPORTED_IP_TUNNEL_MODES="gre"
+
+HOOK_SETTINGS="HOOK MODE PEER LOCAL_ADDRESS"
+
+# Default mode of the tunnel
+MODE="gre"
+
+# The IP address of the tunnel endpoint where to connect to
+PEER=
+
+# The local IP address of the tunnel endpoint
+LOCAL_ADDRESS=
+
+hook_check_settings() {
+ assert isset MODE && assert isoneof MODE ${SUPPORTED_IP_TUNNEL_MODES}
+
+ assert isset PEER && assert ip_is_valid "${PEER}"
+
+ # LOCAL_ADDRESS must be valid and match the protocol of PEER
+ if isset LOCAL_ADDRESS; then
+ assert ip_is_valid "${LOCAL_ADDRESS}"
+ assert ip_protocol_match "${PEER}" "${LOCAL_ADDRESS}"
+ fi
+}
+
+hook_parse_cmdline() {
+ while [ $# -gt 0 ]; do
+ case "${1}" in
+ --local-address=*)
+ LOCAL_ADDRESS="$(cli_get_val "${1}")"
+ ;;
+
+ --mode=*)
+ MODE="$(cli_get_val "${1}")"
+
+ # MODE must be on the list of supported protocols
+ if ! isoneof MODE ${SUPPORTED_IP_TUNNEL_MODES}; then
+ error "Unsupported mode: ${mode}"
+ return ${EXIT_ERROR}
+ fi
+ ;;
+
+ --peer=*)
+ PEER="$(cli_get_val "${1}")"
+ ;;
+
+ *)
+ error "Unknown option: ${1}"
+ exit ${EXIT_ERROR}
+ ;;
+ esac
+ shift
+ done
+
+ # PEER must be set
+ if ! isset PEER; then
+ error "Peer is not set"
+ return ${EXIT_ERROR}
+ fi
+
+ # PEER must be a valid IP address
+ if ! ip_is_valid "${PEER}"; then
+ error "Peer ${PEER} is not a valid IP address"
+ return ${EXIT_ERROR}
+ fi
+
+ # If LOCAL_ADDRESS is set, it must be a valid IP address
+ # of the same protocol than PEER is
+ if isset LOCAL_ADDRESS; then
+ if ! ip_is_valid "${LOCAL_ADDRESS}"; then
+ error "Local address ${LOCAL_ADDRESS} is not a valid IP address"
+ return ${EXIT_ERROR}
+ fi
+
+ if ! ip_protocol_match "${PEER}" "${LOCAL_ADDRESS}"; then
+ error "Peer and local address are of different IP protocols"
+ return ${EXIT_ERROR}
+ fi
+ fi
+
+ return ${EXIT_OK}
+}
+
+hook_up() {
+ local zone=${1}
+ assert isset zone
+
+ # Read configuration
+ if ! zone_settings_read "${zone}"; then
+ log ERROR "Could not read settings from ${zone}"
+ exit ${EXIT_ERROR}
+ fi
+
+ # Create device if it doesn't exist, yet
+ if ! device_exists "${zone}"; then
+ ip_tunnel_add "${zone}" \
+ --mode="${MODE}" \
+ --remote-address="${PEER}" \
+ --local-address="${LOCAL_ADDRESS}"
+ fi
+
+ # Bring up the device
+ device_set_up "${zone}"
+
+ # Bring up all configurations
+ zone_configs_up "${zone}"
+
+ exit ${EXIT_OK}
+}
+
+hook_down() {
+ local zone="${1}"
+ assert isset zone
+
+ # Stop all the configs.
+ zone_configs_down "${zone}"
+
+ # Remove the tunnel device
+ ip_tunnel_del "${zone}" || exit $?
+
+ exit ${EXIT_OK}
+}
+
+hook_status() {
+ local zone=${1}
+ assert isset zone
+
+ cli_device_headline "${zone}"
+
+ # Read configuration
+ if ! zone_settings_read "${zone}"; then
+ error "Could not read settings from ${zone}"
+ exit ${EXIT_ERROR}
+ fi
+
+ cli_headline 2 "Configuration"
+ cli_print_fmt1 2 "Mode" "$(ip_tunnel_protocol_to_name "${MODE}")"
+ cli_print_fmt1 2 "Peer" "${PEER}"
+ if isset LOCAL_ADDRESS; then
+ cli_print_fmt1 2 "Local Address" "${LOCAL_ADDRESS}"
+ fi
+ cli_space
+
+ cli_headline 2 "Configurations"
+ zone_configs_cmd status "${zone}"
+ cli_space
+
+ exit ${EXIT_OK}
+}
fi
local zone="${1}"
- assert zone_exists "${zone}"
- if zone_is_up ${zone}; then
- echo "Zone '${zone}' is up and will be removed when it goes down the next time."
- zone_destroy "${zone}"
- else
- echo "Removing zone '${zone}' now..."
- zone_destroy_now "${zone}"
+ # Check if the zone exists
+ if ! zone_exists "${zone}"; then
+ error "Zone '${zone}' does not exist"
+ return ${EXIT_ERROR}
fi
- exit ${EXIT_OK}
+ echo "Removing zone '${zone}'..."
+ zone_destroy "${zone}" || exit $?
}
cli_zone_port() {