]>
Commit | Line | Data |
---|---|---|
b8c153bc MT |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2015 IPFire Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | shopt -s nullglob | |
23 | ||
24 | VPN_CONFIG="/var/ipfire/vpn/config" | |
25 | ||
54bac014 | 26 | eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) |
b8c153bc MT |
27 | eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) |
28 | ||
29 | VARS=( | |
1ca2f88a MT |
30 | id status name lefthost type ctype psk local x1 leftsubnets |
31 | x2 remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 | |
32 | x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 | |
33 | route x23 mode interface_mode interface_address interface_mtu rest | |
b8c153bc MT |
34 | ) |
35 | ||
36 | log() { | |
37 | logger -t ipsec "$@" | |
38 | } | |
39 | ||
40 | main() { | |
b8c153bc MT |
41 | # Register local variables |
42 | local "${VARS[@]}" | |
43 | local action | |
44 | ||
45 | local interfaces=() | |
1ca2f88a MT |
46 | |
47 | # Compat for older connections | |
48 | if [ "${local}" = "off" ]; then | |
49 | local="" | |
50 | fi | |
54bac014 MT |
51 | |
52 | # Handle %defaultroute | |
1ca2f88a | 53 | if [ -z "${local}" ]; then |
54bac014 | 54 | if [ -r "/var/ipfire/red/local-ipaddress" ]; then |
1ca2f88a | 55 | local="$(</var/ipfire/red/local-ipaddress)" |
54bac014 MT |
56 | |
57 | elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then | |
1ca2f88a | 58 | local="${RED_ADDRESS}" |
54bac014 | 59 | fi |
54bac014 | 60 | fi |
b8c153bc | 61 | |
1a45f9a7 MT |
62 | # We are done when IPsec is not enabled |
63 | if [ "${ENABLED}" = "on" ]; then | |
64 | while IFS="," read -r "${VARS[@]}"; do | |
65 | # Check if the connection is enabled | |
66 | [ "${status}" = "on" ] || continue | |
67 | ||
68 | # Check if this a net-to-net connection | |
69 | [ "${type}" = "net" ] || continue | |
70 | ||
71 | # Determine the interface name | |
72 | case "${interface_mode}" in | |
73 | gre|vti) | |
74 | local intf="${interface_mode}${id}" | |
75 | ;; | |
76 | *) | |
77 | continue | |
78 | ;; | |
79 | esac | |
80 | ||
81 | # Add the interface to the list of all interfaces | |
82 | interfaces+=( "${intf}" ) | |
83 | ||
84 | local args=( | |
1ca2f88a MT |
85 | "local" "${local}" |
86 | "remote" "${remote}" | |
1a45f9a7 MT |
87 | ) |
88 | ||
6a45a1f1 MT |
89 | case "${interface_mode}" in |
90 | gre) | |
91 | # Add TTL | |
92 | args+=( "ttl" "255" ) | |
93 | ;; | |
94 | ||
95 | vti) | |
96 | # Add key for VTI | |
97 | args+=( "key" "${id}" ) | |
98 | ;; | |
99 | esac | |
b8c153bc | 100 | |
1a45f9a7 MT |
101 | # Update the settings when the interface already exists |
102 | if [ -d "/sys/class/net/${intf}" ]; then | |
103 | ip link change dev "${intf}" \ | |
104 | type "${interface_mode}" "${args[@]}" &>/dev/null | |
b8c153bc | 105 | |
1a45f9a7 MT |
106 | # Create a new interface and bring it up |
107 | else | |
108 | log "Creating interface ${intf}" | |
3dc21d43 MT |
109 | if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then |
110 | log "Could not create interface ${intf}" | |
111 | continue | |
112 | fi | |
1a45f9a7 MT |
113 | fi |
114 | ||
115 | # Add an IP address | |
116 | ip addr flush dev "${intf}" | |
117 | ip addr add "${interface_address}" dev "${intf}" | |
118 | ||
119 | # Set MTU | |
120 | ip link set dev "${intf}" mtu "${interface_mtu}" | |
b8c153bc | 121 | |
1a45f9a7 MT |
122 | # Bring up the interface |
123 | ip link set dev "${intf}" up | |
124 | done < "${VPN_CONFIG}" | |
125 | fi | |
b8c153bc MT |
126 | |
127 | # Delete all other interfaces | |
128 | local intf | |
c821440c | 129 | for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do |
b8c153bc MT |
130 | intf="$(basename "${intf}")" |
131 | ||
132 | # Ignore a couple of interfaces that cannot be deleted | |
133 | case "${intf}" in | |
134 | gre0|gretap0) | |
135 | continue | |
136 | ;; | |
137 | esac | |
138 | ||
139 | # Check if interface is on the list | |
140 | local i found="false" | |
141 | for i in ${interfaces[@]}; do | |
142 | if [ "${intf}" = "${i}" ]; then | |
143 | found="true" | |
144 | break | |
145 | fi | |
146 | done | |
147 | ||
148 | # Nothing to do if interface was found | |
149 | ${found} && continue | |
150 | ||
151 | # Delete the interface | |
152 | log "Deleting interface ${intf}" | |
153 | ip link del "${intf}" &>/dev/null | |
154 | done | |
155 | } | |
156 | ||
157 | main || exit $? |