X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Fmisc-progs%2Fipsecctrl.c;h=085feabbcc1596dd69270bac988e75a71ac09347;hp=7205afb37c447d64f1e82dbc4b93301f1789ff8e;hb=1f324fd71d0dac2e538466ec851a32689df2d896;hpb=ea61e29cdbb4b50d43403c8ebb4af4c3d61ea391 diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 7205afb37c..085feabbcc 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -58,12 +58,17 @@ void open_physical (char *interface, int nat_traversal_port) { // sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface); // safe_system(str); // IKE + + sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT >/dev/null 2>&1", interface); + safe_system(str); sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface); safe_system(str); if (! nat_traversal_port) return; + sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port); + safe_system(str); sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port); safe_system(str); } @@ -138,12 +143,10 @@ int decode_line (char *s, void turn_connection_on (char *name, char *type) { char command[STRING_SIZE]; - safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null"); - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec down %s >/dev/null", name); - safe_system(command); + safe_system("/usr/sbin/ipsec reload >/dev/null"); memset(command, 0, STRING_SIZE); + /* give ipsec time to be ready */ + safe_system("/bin/sleep 5"); snprintf(command, STRING_SIZE - 1, "/usr/sbin/ipsec up %s >/dev/null", name); safe_system(command); @@ -155,8 +158,9 @@ void turn_connection_off (char *name) { char command[STRING_SIZE]; memset(command, 0, STRING_SIZE); snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec down %s >/dev/null", name); + "/usr/sbin/ipsec whack --delete --name %s >/dev/null", name); safe_system(command); + safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null"); } @@ -175,6 +179,17 @@ int main(int argc, char *argv[]) { FILE *file = NULL; + + if (strcmp(argv[1], "I") == 0) { + safe_system("/usr/sbin/ipsec whack --status"); + exit(0); + } + + if (strcmp(argv[1], "R") == 0) { + safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null"); + exit(0); + } + /* Get vpnwatch pid */ if ( (argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) { @@ -190,31 +205,18 @@ int main(int argc, char *argv[]) { /* handle operations that doesn't need start the ipsec system */ if (argc == 2) { if (strcmp(argv[1], "D") == 0) { - ipsec_norules(); /* Only shutdown pluto if it really is running */ /* Get pluto pid */ if (file = fopen("/var/run/pluto.pid", "r")) { safe_system("/etc/rc.d/init.d/ipsec stop 2> /dev/null >/dev/null"); close(file); } - exit(0); - } - - if (strcmp(argv[1], "R") == 0) { - safe_system("/usr/sbin/ipsec whack --rereadall"); - exit(0); - } - - if (strcmp(argv[1], "I") == 0) { - safe_system("/usr/sbin/ipsec whack --status"); + ipsec_norules(); exit(0); } } - /* clear iptables vpn rules */ - ipsec_norules(); - /* read vpn config */ kv=initkeyvalues(); if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings")) @@ -348,7 +350,6 @@ int main(int argc, char *argv[]) { // it is a selective start or stop // second param is only a number 'key' if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) { - ipsec_norules(); fprintf(stderr, "Bad arg\n"); usage(); exit(1); @@ -356,7 +357,6 @@ int main(int argc, char *argv[]) { // search the vpn pointed by 'key' if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) { - ipsec_norules(); fprintf(stderr, "Couldn't open vpn settings file"); exit(1); } @@ -386,7 +386,6 @@ int main(int argc, char *argv[]) { if (strcmp(argv[1], "D") == 0) turn_connection_off (name); else { - ipsec_norules(); fprintf(stderr, "Bad command\n"); exit(1); }