#!/bin/sh # IPsec startup and shutdown script # Copyright (C) 1998, 1999, 2001 Henry Spencer. # Copyright (C) 2002 Michael Richardson # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See . # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: setup.in,v 1.122.6.3 2006/10/26 23:54:32 paul Exp $ # # ipsec init.d script for starting and stopping # the IPsec security subsystem (KLIPS and Pluto). # # This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec) # and is also accessible as "ipsec setup" (the preferred route for human # invocation). # # The startup and shutdown times are a difficult compromise (in particular, # it is almost impossible to reconcile them with the insanely early/late # times of NFS filesystem startup/shutdown). Startup is after startup of # syslog and pcmcia support; shutdown is just before shutdown of syslog. # # chkconfig: 2345 47 76 # description: IPsec provides encrypted and authenticated communications; \ # KLIPS is the kernel half of it, Pluto is the user-level management daemon. me='ipsec setup' # for messages # where the private directory and the config files are IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}" IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}" IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}" IPSEC_CONFS="${IPSEC_CONFS-/etc}" if test " $IPSEC_DIR" = " " # if we were not called by the ipsec command then # we must establish a suitable PATH ourselves PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin export PATH IPSEC_DIR="$IPSEC_LIBDIR" export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR fi # Check that the ipsec command is available. found= for dir in `echo $PATH | tr ':' ' '` do if test -f $dir/ipsec -a -x $dir/ipsec then found=yes break # NOTE BREAK OUT fi done if ! test "$found" then echo "cannot find ipsec command -- \`$1' aborted" | logger -s -p daemon.error -t ipsec_setup exit 1 fi # accept a few flags export IPSEC_setupflags IPSEC_setupflags="" config="" for dummy do case "$1" in --showonly|--show) IPSEC_setupflags="$1" ;; --config) config="--config $2" ; shift ;; *) break ;; esac shift done # Pick up IPsec configuration (until we have done this, successfully, we # do not know where errors should go, hence the explicit "daemon.error"s.) # Note the "--export", which exports the variables created. eval `ipsec _confread $config --optional --varprefix IPSEC --export --type config setup` if test " $IPSEC_confreadstatus" != " " then case $1 in stop|--stop|_autostop) echo "$IPSEC_confreadstatus -- \`$1' may not work" | logger -s -p daemon.error -t ipsec_setup;; *) echo "$IPSEC_confreadstatus -- \`$1' aborted" | logger -s -p daemon.error -t ipsec_setup; exit 1;; esac fi IPSEC_confreadsection=${IPSEC_confreadsection:-setup} export IPSEC_confreadsection IPSECsyslog=${IPSECsyslog-daemon.error} export IPSECsyslog # misc setup umask 022 mkdir -p /var/run/pluto # do it case "$1" in start|--start|stop|--stop|_autostop|_autostart) if test " `id -u`" != " 0" then echo "permission denied (must be superuser)" | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 exit 1 fi tmp=/var/run/pluto/ipsec_setup.st outtmp=/var/run/pluto/ipsec_setup.out ( ipsec _realsetup $1 echo "$?" >$tmp ) > ${outtmp} 2>&1 st=$? if test -f $tmp then st=`cat $tmp` rm -f $tmp fi if [ -f ${outtmp} ]; then cat ${outtmp} | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 rm -f ${outtmp} fi exit $st ;; restart|--restart|force-reload) $0 $IPSEC_setupflags stop $0 $IPSEC_setupflags start ;; _autorestart) # for internal use only $0 $IPSEC_setupflags _autostop $0 $IPSEC_setupflags _autostart ;; status|--status) ipsec _realsetup $1 exit ;; --version) echo "$me $IPSEC_VERSION" exit 0 ;; --help) echo "Usage: $me [ --showonly ] {--start|--stop|--restart}" echo " $me --status" exit 0 ;; *) echo "Usage: $me [ --showonly ] {--start|--stop|--restart}" echo " $me --status" exit 2 esac exit 0