[people/pmueller/ipfire-2.x.git] / src / scripts / ipsec-interfaces

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2015 IPFire Team                                              #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

shopt -s nullglob

VPN_CONFIG="/var/ipfire/vpn/config"

eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)

VARS=(
	id status name lefthost type ctype psk local x1 leftsubnets
	x2 remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
	route x23 mode interface_mode interface_address interface_mtu rest
)

log() {
	logger -t ipsec "$@"
}

main() {
	# Register local variables
	local "${VARS[@]}"
	local action

	local interfaces=()

	# Compat for older connections
	if [ "${local}" = "off" ]; then
		local=""
	fi

	# Handle %defaultroute
	if [ -z "${local}" ]; then
		if [ -r "/var/ipfire/red/local-ipaddress" ]; then
			local="$(</var/ipfire/red/local-ipaddress)"

		elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then
			local="${RED_ADDRESS}"
		fi
	fi

	# We are done when IPsec is not enabled
	if [ "${ENABLED}" = "on" ]; then
		while IFS="," read -r "${VARS[@]}"; do
			# Check if the connection is enabled
			[ "${status}" = "on" ] || continue

			# Check if this a net-to-net connection
			[ "${type}" = "net" ] || continue

			# Determine the interface name
			case "${interface_mode}" in
				gre|vti)
					local intf="${interface_mode}${id}"
					;;
				*)
					continue
					;;
			esac

			# Add the interface to the list of all interfaces
			interfaces+=( "${intf}" )

			local args=(
				"local" "${local}"
				"remote" "${remote}"
			)

			case "${interface_mode}" in
				gre)
					# Add TTL
					args+=( "ttl" "255" )
					;;

				vti)
					# Add key for VTI
					args+=( "key" "${id}" )
					;;
			esac

			# Update the settings when the interface already exists
			if [ -d "/sys/class/net/${intf}" ]; then
				ip link change dev "${intf}" \
					type "${interface_mode}" "${args[@]}" &>/dev/null

			# Create a new interface and bring it up
			else
				log "Creating interface ${intf}"
				if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then
					log "Could not create interface ${intf}"
					continue
				fi
			fi

			# Add an IP address
			ip addr flush dev "${intf}"
			ip addr add "${interface_address}" dev "${intf}"

			# Set MTU
			ip link set dev "${intf}" mtu "${interface_mtu}"

			# Bring up the interface
			ip link set dev "${intf}" up
		done < "${VPN_CONFIG}"
	fi

	# Delete all other interfaces
	local intf
	for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do
		intf="$(basename "${intf}")"

		# Ignore a couple of interfaces that cannot be deleted
		case "${intf}" in
			gre0|gretap0)
				continue
				;;
		esac

		# Check if interface is on the list
		local i found="false"
		for i in ${interfaces[@]}; do
			if [ "${intf}" = "${i}" ]; then
				found="true"
				break
			fi
		done

		# Nothing to do if interface was found
		${found} && continue

		# Delete the interface
		log "Deleting interface ${intf}"
		ip link del "${intf}" &>/dev/null
	done
}

main || exit $?
Commit	Line	Data
b8c153bc MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2015 IPFire Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	shopt -s nullglob
	23
	24	VPN_CONFIG="/var/ipfire/vpn/config"
	25
54bac014	26	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
b8c153bc MT	27	eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
	28
	29	VARS=(
1ca2f88a MT	30	id status name lefthost type ctype psk local x1 leftsubnets
	31	x2 remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
	32	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
	33	route x23 mode interface_mode interface_address interface_mtu rest
b8c153bc MT	34	)
	35
	36	log() {
	37	logger -t ipsec "$@"
	38	}
	39
	40	main() {
b8c153bc MT	41	# Register local variables
	42	local "${VARS[@]}"
	43	local action
	44
	45	local interfaces=()
1ca2f88a MT	46
	47	# Compat for older connections
	48	if [ "${local}" = "off" ]; then
	49	local=""
	50	fi
54bac014 MT	51
54bac014 MT	52	# Handle %defaultroute
1ca2f88a	53	if [ -z "${local}" ]; then
54bac014	54	if [ -r "/var/ipfire/red/local-ipaddress" ]; then
1ca2f88a	55	local="$(</var/ipfire/red/local-ipaddress)"
54bac014 MT	56
54bac014 MT	57	elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then
1ca2f88a	58	local="${RED_ADDRESS}"
54bac014	59	fi
54bac014	60	fi
b8c153bc	61
1a45f9a7 MT	62	# We are done when IPsec is not enabled
	63	if [ "${ENABLED}" = "on" ]; then
	64	while IFS="," read -r "${VARS[@]}"; do
	65	# Check if the connection is enabled
	66	[ "${status}" = "on" ] \|\| continue
	67
	68	# Check if this a net-to-net connection
	69	[ "${type}" = "net" ] \|\| continue
	70
	71	# Determine the interface name
	72	case "${interface_mode}" in
	73	gre\|vti)
	74	local intf="${interface_mode}${id}"
	75	;;
	76	*)
	77	continue
	78	;;
	79	esac
	80
	81	# Add the interface to the list of all interfaces
	82	interfaces+=( "${intf}" )
	83
	84	local args=(
1ca2f88a MT	85	"local" "${local}"
1ca2f88a MT	86	"remote" "${remote}"
1a45f9a7 MT	87	)
1a45f9a7 MT	88
6a45a1f1 MT	89	case "${interface_mode}" in
	90	gre)
	91	# Add TTL
	92	args+=( "ttl" "255" )
	93	;;
	94
	95	vti)
	96	# Add key for VTI
	97	args+=( "key" "${id}" )
	98	;;
	99	esac
b8c153bc	100
1a45f9a7 MT	101	# Update the settings when the interface already exists
	102	if [ -d "/sys/class/net/${intf}" ]; then
	103	ip link change dev "${intf}" \
	104	type "${interface_mode}" "${args[@]}" &>/dev/null
b8c153bc	105
1a45f9a7 MT	106	# Create a new interface and bring it up
	107	else
	108	log "Creating interface ${intf}"
3dc21d43 MT	109	if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then
	110	log "Could not create interface ${intf}"
	111	continue
	112	fi
1a45f9a7 MT	113	fi
	114
	115	# Add an IP address
	116	ip addr flush dev "${intf}"
	117	ip addr add "${interface_address}" dev "${intf}"
	118
	119	# Set MTU
	120	ip link set dev "${intf}" mtu "${interface_mtu}"
b8c153bc	121
1a45f9a7 MT	122	# Bring up the interface
	123	ip link set dev "${intf}" up
	124	done < "${VPN_CONFIG}"
	125	fi
b8c153bc MT	126
	127	# Delete all other interfaces
	128	local intf
c821440c	129	for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do
b8c153bc MT	130	intf="$(basename "${intf}")"
	131
	132	# Ignore a couple of interfaces that cannot be deleted
	133	case "${intf}" in
	134	gre0\|gretap0)
	135	continue
	136	;;
	137	esac
	138
	139	# Check if interface is on the list
	140	local i found="false"
	141	for i in ${interfaces[@]}; do
	142	if [ "${intf}" = "${i}" ]; then
	143	found="true"
	144	break
	145	fi
	146	done
	147
	148	# Nothing to do if interface was found
	149	${found} && continue
	150
	151	# Delete the interface
	152	log "Deleting interface ${intf}"
	153	ip link del "${intf}" &>/dev/null
	154	done
	155	}
	156
	157	main \|\| exit $?