[people/pmueller/ipfire-2.x.git] / src / scripts / ipsec-interfaces

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2015 IPFire Team                                              #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

shopt -s nullglob

VPN_CONFIG="/var/ipfire/vpn/config"

eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)

VARS=(
	id status name lefthost type ctype psk local local_id leftsubnets
	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
	route x23 mode interface_mode interface_address interface_mtu rest
)

log() {
	logger -t ipsec "$@"
}

resolve_hostname() {
	local hostname="${1}"

	dig +short A "${hostname}" | tail -n1
}

main() {
	# Register local variables
	local "${VARS[@]}"
	local action

	local interfaces=()

	# We are done when IPsec is not enabled
	if [ "${ENABLED}" = "on" ]; then
		while IFS="," read -r "${VARS[@]}"; do
			# Check if the connection is enabled
			[ "${status}" = "on" ] || continue

			# Check if this a net-to-net connection
			[ "${type}" = "net" ] || continue

			# Determine the interface name
			case "${interface_mode}" in
				gre|vti)
					local intf="${interface_mode}${id}"
					;;
				*)
					continue
					;;
			esac

			# Add the interface to the list of all interfaces
			interfaces+=( "${intf}" )

			# Compat for older connections
			if [ "${local}" = "off" ]; then
				if [ "${VPN_IP}" = "%defaultroute" ]; then
					local=""
				else
					local="${VPN_IP}"
				fi
			fi

			# Handle %defaultroute
			if [ -z "${local}" ]; then
				if [ -r "/var/ipfire/red/local-ipaddress" ]; then
					local="$(</var/ipfire/red/local-ipaddress)"

				elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then
					local="${RED_ADDRESS}"
				fi
			fi

			# Resolve any hostnames
			if [[ ! ${remote} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
				remote="$(resolve_hostname "${remote}")"
			fi

			local args=(
				"local" "${local}"
				"remote" "${remote}"
			)

			case "${interface_mode}" in
				gre)
					# Add TTL
					args+=( "ttl" "255" )
					;;

				vti)
					# Add key for VTI
					args+=( "key" "${id}" )
					;;
			esac

			# Update the settings when the interface already exists
			if [ -d "/sys/class/net/${intf}" ]; then
				ip link change dev "${intf}" \
					type "${interface_mode}" "${args[@]}" &>/dev/null

			# Create a new interface and bring it up
			else
				log "Creating interface ${intf}"
				if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then
					log "Could not create interface ${intf}"
					continue
				fi
			fi

			# Add an IP address
			ip addr flush dev "${intf}"
			ip addr add "${interface_address}" dev "${intf}"

			# Set MTU
			ip link set dev "${intf}" mtu "${interface_mtu}"

			# Bring up the interface
			ip link set dev "${intf}" up
		done < "${VPN_CONFIG}"
	fi

	# Delete all other interfaces
	local intf
	for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do
		intf="$(basename "${intf}")"

		# Ignore a couple of interfaces that cannot be deleted
		case "${intf}" in
			gre0|gretap0)
				continue
				;;
		esac

		# Check if interface is on the list
		local i found="false"
		for i in ${interfaces[@]}; do
			if [ "${intf}" = "${i}" ]; then
				found="true"
				break
			fi
		done

		# Nothing to do if interface was found
		${found} && continue

		# Delete the interface
		log "Deleting interface ${intf}"
		ip link del "${intf}" &>/dev/null
	done

	# (Re-)Apply all static routes
	/etc/init.d/static-routes start
}

main || exit $?
Commit	Line	Data
b8c153bc MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2015 IPFire Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	shopt -s nullglob
	23
	24	VPN_CONFIG="/var/ipfire/vpn/config"
	25
54bac014	26	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
b8c153bc MT	27	eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
	28
	29	VARS=(
68263645 MT	30	id status name lefthost type ctype psk local local_id leftsubnets
68263645 MT	31	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
1ca2f88a MT	32	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
1ca2f88a MT	33	route x23 mode interface_mode interface_address interface_mtu rest
b8c153bc MT	34	)
	35
	36	log() {
	37	logger -t ipsec "$@"
	38	}
	39
f9dd1346 MT	40	resolve_hostname() {
	41	local hostname="${1}"
	42
	43	dig +short A "${hostname}" \| tail -n1
	44	}
	45
b8c153bc	46	main() {
b8c153bc MT	47	# Register local variables
	48	local "${VARS[@]}"
	49	local action
	50
	51	local interfaces=()
1ca2f88a	52
1a45f9a7 MT	53	# We are done when IPsec is not enabled
	54	if [ "${ENABLED}" = "on" ]; then
	55	while IFS="," read -r "${VARS[@]}"; do
	56	# Check if the connection is enabled
	57	[ "${status}" = "on" ] \|\| continue
	58
	59	# Check if this a net-to-net connection
	60	[ "${type}" = "net" ] \|\| continue
	61
	62	# Determine the interface name
	63	case "${interface_mode}" in
	64	gre\|vti)
	65	local intf="${interface_mode}${id}"
	66	;;
	67	*)
	68	continue
	69	;;
	70	esac
	71
	72	# Add the interface to the list of all interfaces
	73	interfaces+=( "${intf}" )
	74
d985ce5a MT	75	# Compat for older connections
	76	if [ "${local}" = "off" ]; then
	77	if [ "${VPN_IP}" = "%defaultroute" ]; then
	78	local=""
	79	else
	80	local="${VPN_IP}"
	81	fi
	82	fi
	83
	84	# Handle %defaultroute
	85	if [ -z "${local}" ]; then
	86	if [ -r "/var/ipfire/red/local-ipaddress" ]; then
	87	local="$(</var/ipfire/red/local-ipaddress)"
	88
	89	elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then
	90	local="${RED_ADDRESS}"
	91	fi
	92	fi
	93
f9dd1346 MT	94	# Resolve any hostnames
	95	if [[ ! ${remote} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
	96	remote="$(resolve_hostname "${remote}")"
	97	fi
	98
1a45f9a7	99	local args=(
1ca2f88a MT	100	"local" "${local}"
1ca2f88a MT	101	"remote" "${remote}"
1a45f9a7 MT	102	)
1a45f9a7 MT	103
6a45a1f1 MT	104	case "${interface_mode}" in
	105	gre)
	106	# Add TTL
	107	args+=( "ttl" "255" )
	108	;;
	109
	110	vti)
	111	# Add key for VTI
	112	args+=( "key" "${id}" )
	113	;;
	114	esac
b8c153bc	115
1a45f9a7 MT	116	# Update the settings when the interface already exists
	117	if [ -d "/sys/class/net/${intf}" ]; then
	118	ip link change dev "${intf}" \
	119	type "${interface_mode}" "${args[@]}" &>/dev/null
b8c153bc	120
1a45f9a7 MT	121	# Create a new interface and bring it up
	122	else
	123	log "Creating interface ${intf}"
3dc21d43 MT	124	if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then
	125	log "Could not create interface ${intf}"
	126	continue
	127	fi
1a45f9a7 MT	128	fi
	129
	130	# Add an IP address
	131	ip addr flush dev "${intf}"
	132	ip addr add "${interface_address}" dev "${intf}"
	133
	134	# Set MTU
	135	ip link set dev "${intf}" mtu "${interface_mtu}"
b8c153bc	136
1a45f9a7 MT	137	# Bring up the interface
	138	ip link set dev "${intf}" up
	139	done < "${VPN_CONFIG}"
	140	fi
b8c153bc MT	141
	142	# Delete all other interfaces
	143	local intf
c821440c	144	for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do
b8c153bc MT	145	intf="$(basename "${intf}")"
	146
	147	# Ignore a couple of interfaces that cannot be deleted
	148	case "${intf}" in
	149	gre0\|gretap0)
	150	continue
	151	;;
	152	esac
	153
	154	# Check if interface is on the list
	155	local i found="false"
	156	for i in ${interfaces[@]}; do
	157	if [ "${intf}" = "${i}" ]; then
	158	found="true"
	159	break
	160	fi
	161	done
	162
	163	# Nothing to do if interface was found
	164	${found} && continue
	165
	166	# Delete the interface
	167	log "Deleting interface ${intf}"
	168	ip link del "${intf}" &>/dev/null
	169	done
a485606c MT	170
	171	# (Re-)Apply all static routes
	172	/etc/init.d/static-routes start
b8c153bc MT	173	}
	174
	175	main \|\| exit $?