]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/scripts/ipsec-interfaces
projects / people / pmueller / ipfire-2.x.git / blob
? search:


4ba2980e57e416e0b4f46d8da964fcf8689512bf
[people/pmueller/ipfire-2.x.git] / src / scripts / ipsec-interfaces
1 #!/bin/bash
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2015 IPFire Team #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 shopt -s nullglob
23
24 VPN_CONFIG="/var/ipfire/vpn/config"
25
26 eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
27
28 VARS=(
29 id status name lefthost type ctype x1 x2 x3 leftsubnets
30 remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
31 x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
32 route x26 mode interface_mode interface_address interface_mtu rest
33 )
34
35 log() {
36 logger -t ipsec "$@"
37 }
38
39 main() {
40 # Register local variables
41 local "${VARS[@]}"
42 local action
43
44 local interfaces=()
45
46 # We are done when IPsec is not enabled
47 if [ "${ENABLED}" = "on" ]; then
48 while IFS="," read -r "${VARS[@]}"; do
49 # Check if the connection is enabled
50 [ "${status}" = "on" ] || continue
51
52 # Check if this a net-to-net connection
53 [ "${type}" = "net" ] || continue
54
55 # Determine the interface name
56 case "${interface_mode}" in
57 gre|vti)
58 local intf="${interface_mode}${id}"
59 ;;
60 *)
61 continue
62 ;;
63 esac
64
65 # Add the interface to the list of all interfaces
66 interfaces+=( "${intf}" )
67
68 local args=(
69 "local" "${VPN_IP}"
70 "remote" "${righthost}"
71 "ttl" "255"
72 )
73
74 # Add key for VTI
75 if [ "${interface_mode}" = "vti" ]; then
76 args+=( key "${id}" )
77 fi
78
79 # Update the settings when the interface already exists
80 if [ -d "/sys/class/net/${intf}" ]; then
81 ip link change dev "${intf}" \
82 type "${interface_mode}" "${args[@]}" &>/dev/null
83
84 # Create a new interface and bring it up
85 else
86 log "Creating interface ${intf}"
87 if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then
88 log "Could not create interface ${intf}"
89 continue
90 fi
91 fi
92
93 # Add an IP address
94 ip addr flush dev "${intf}"
95 ip addr add "${interface_address}" dev "${intf}"
96
97 # Set MTU
98 ip link set dev "${intf}" mtu "${interface_mtu}"
99
100 # Bring up the interface
101 ip link set dev "${intf}" up
102 done < "${VPN_CONFIG}"
103 fi
104
105 # Delete all other interfaces
106 local intf
107 for intf in /sys/class/net/gre* /sys/class/net/vti*; do
108 intf="$(basename "${intf}")"
109
110 # Ignore a couple of interfaces that cannot be deleted
111 case "${intf}" in
112 gre0|gretap0)
113 continue
114 ;;
115 esac
116
117 # Check if interface is on the list
118 local i found="false"
119 for i in ${interfaces[@]}; do
120 if [ "${intf}" = "${i}" ]; then
121 found="true"
122 break
123 fi
124 done
125
126 # Nothing to do if interface was found
127 ${found} && continue
128
129 # Delete the interface
130 log "Deleting interface ${intf}"
131 ip link del "${intf}" &>/dev/null
132 done
133 }
134
135 main || exit $?
Peter's tree of IPFire 2.x