]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blobdiff - src/misc-progs/ipsecctrl.c
projects / people / pmueller / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
ipsecctrl: remove fw-rules clear because strongswan try to do this also.
[people/pmueller/ipfire-2.x.git] / src / misc-progs / ipsecctrl.c
diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
index aa6b8a422e211273b096908ee99afa4b63eac82a..085feabbcc1596dd69270bac988e75a71ac09347 100644 (file)
--- a/src/misc-progs/ipsecctrl.c
+++ b/src/misc-progs/ipsecctrl.c
@@ -58,12 +58,17 @@ void open_physical (char *interface, int nat_traversal_port) {
 //        sprintf(str, "/sbin/iptables -A " phystable " -p 51  -i %s -j ACCEPT", interface);
 //        safe_system(str);
         // IKE
+
+        sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
+        safe_system(str);
         sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface);
         safe_system(str);
 
         if (! nat_traversal_port) 
             return;
 
+        sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
+        safe_system(str);
         sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
         safe_system(str);
 }
@@ -140,6 +145,8 @@ void turn_connection_on (char *name, char *type) {
 
         safe_system("/usr/sbin/ipsec reload >/dev/null");
         memset(command, 0, STRING_SIZE);
+        /* give ipsec time to be ready */
+        safe_system("/bin/sleep 5");
         snprintf(command, STRING_SIZE - 1, 
                 "/usr/sbin/ipsec up %s >/dev/null", name);
         safe_system(command);
@@ -172,6 +179,17 @@ int main(int argc, char *argv[]) {
                 
  FILE *file = NULL;
                 
+
+        if (strcmp(argv[1], "I") == 0) {
+                safe_system("/usr/sbin/ipsec whack --status");
+                exit(0);
+        }
+
+        if (strcmp(argv[1], "R") == 0) {
+                safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null");
+                exit(0);
+        }
+
  /* Get vpnwatch pid */
 
  if ( (argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) {
@@ -187,31 +205,18 @@ int main(int argc, char *argv[]) {
         /* handle operations that doesn't need start the ipsec system */
         if (argc == 2) {
                 if (strcmp(argv[1], "D") == 0) {
-                        ipsec_norules();
                         /* Only shutdown pluto if it really is running */
                         /* Get pluto pid */
                         if (file = fopen("/var/run/pluto.pid", "r")) {
                                 safe_system("/etc/rc.d/init.d/ipsec stop 2> /dev/null >/dev/null");
                                 close(file);
                         }
-                        exit(0);
-                }
-
-                if (strcmp(argv[1], "R") == 0) {
-                        safe_system("/usr/sbin/ipsec whack --rereadall");
-                        exit(0);
-                }
-
-                if (strcmp(argv[1], "I") == 0) {
-                        safe_system("/usr/sbin/ipsec whack --status");
+                        ipsec_norules();
                         exit(0);
                 }
 
         }
 
-        /* clear iptables vpn rules */
-        ipsec_norules();
-
         /* read vpn config */
         kv=initkeyvalues();
         if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings"))
@@ -345,7 +350,6 @@ int main(int argc, char *argv[]) {
         // it is a selective start or stop
         // second param is only a number 'key'
         if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) {
-                ipsec_norules();
                 fprintf(stderr, "Bad arg\n");
                 usage();
                 exit(1);
@@ -353,7 +357,6 @@ int main(int argc, char *argv[]) {
 
         // search the vpn pointed by 'key'
         if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {
-                ipsec_norules();
                 fprintf(stderr, "Couldn't open vpn settings file");
                 exit(1);
         }
@@ -383,7 +386,6 @@ int main(int argc, char *argv[]) {
                 if (strcmp(argv[1], "D") == 0)
                         turn_connection_off (name);
                 else {
-                        ipsec_norules();
                         fprintf(stderr, "Bad command\n");
                         exit(1);
                 }
Peter's tree of IPFire 2.x