X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Fmisc-progs%2Fipsecctrl.c;h=ae3899619deeb23b4216fa3428a63cb2fee4fc3a;hp=d443edccfc8c151501da47642dbdaf6147afce9b;hb=0d181206ca614936a3f8715e78baaf4850c6127b;hpb=0a8db55873838c67f045d4124f566451019622a8 diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index d443edccfc..ae3899619d 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -58,12 +58,17 @@ void open_physical (char *interface, int nat_traversal_port) { // sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface); // safe_system(str); // IKE + + sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT >/dev/null 2>&1", interface); + safe_system(str); sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface); safe_system(str); if (! nat_traversal_port) return; + sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port); + safe_system(str); sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port); safe_system(str); } @@ -136,35 +141,22 @@ int decode_line (char *s, issue ipsec commmands to turn on connection 'name' */ void turn_connection_on (char *name, char *type) { - char command[STRING_SIZE]; - - safe_system("/usr/sbin/ipsec whack --rereadsecrets >/dev/null"); - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec auto --replace %s >/dev/null", name); - safe_system(command); - if (strcmp(type, "net") == 0) { - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec whack --asynchronous --name %s --initiate >/dev/null", name); - safe_system(command); - } +/* + if you find a way to start a single connection without changing all add it + here. Change also vpn-watch. +*/ + safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null"); } /* issue ipsec commmands to turn off connection 'name' */ void turn_connection_off (char *name) { char command[STRING_SIZE]; - - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec whack --name %s --terminate >/dev/null", name); - safe_system(command); memset(command, 0, STRING_SIZE); snprintf(command, STRING_SIZE - 1, "/usr/sbin/ipsec whack --delete --name %s >/dev/null", name); safe_system(command); - safe_system("/usr/sbin/ipsec whack --rereadsecrets >/dev/null"); + safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null"); } @@ -183,13 +175,27 @@ int main(int argc, char *argv[]) { FILE *file = NULL; + + if (strcmp(argv[1], "I") == 0) { + safe_system("/usr/sbin/ipsec whack --status"); + safe_system("/usr/sbin/ipsec stroke status"); + exit(0); + } + + if (strcmp(argv[1], "R") == 0) { + safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null"); + safe_system("/usr/sbin/ipsec stroke rereadall >/dev/null"); + exit(0); + } + /* Get vpnwatch pid */ - if ( (argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) { - safe_system("kill -9 $(cat /var/run/vpn-watch.pid)"); - safe_system("unlink /var/run/vpn-watch.pid"); - close(file); - } + + if ((argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) { + safe_system("kill -9 $(cat /var/run/vpn-watch.pid)"); + safe_system("unlink /var/run/vpn-watch.pid"); + close(file); + } /* FIXME: workaround for pclose() issue - still no real idea why * this is happening */ @@ -198,31 +204,18 @@ int main(int argc, char *argv[]) { /* handle operations that doesn't need start the ipsec system */ if (argc == 2) { if (strcmp(argv[1], "D") == 0) { - ipsec_norules(); /* Only shutdown pluto if it really is running */ /* Get pluto pid */ if (file = fopen("/var/run/pluto.pid", "r")) { safe_system("/etc/rc.d/init.d/ipsec stop 2> /dev/null >/dev/null"); close(file); } - exit(0); - } - - if (strcmp(argv[1], "R") == 0) { - safe_system("/usr/sbin/ipsec whack --rereadall"); - exit(0); - } - - if (strcmp(argv[1], "I") == 0) { - safe_system("/usr/sbin/ipsec whack --status"); + ipsec_norules(); exit(0); } } - /* clear iptables vpn rules */ - ipsec_norules(); - /* read vpn config */ kv=initkeyvalues(); if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings")) @@ -348,15 +341,14 @@ int main(int argc, char *argv[]) { // start the system if ((argc == 2) && strcmp(argv[1], "S") == 0) { - safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null"); - safe_system("/usr/local/bin/vpn-watch &"); + safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null"); + safe_system("/usr/local/bin/vpn-watch &"); exit(0); } // it is a selective start or stop // second param is only a number 'key' if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) { - ipsec_norules(); fprintf(stderr, "Bad arg\n"); usage(); exit(1); @@ -364,7 +356,6 @@ int main(int argc, char *argv[]) { // search the vpn pointed by 'key' if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) { - ipsec_norules(); fprintf(stderr, "Couldn't open vpn settings file"); exit(1); } @@ -394,7 +385,6 @@ int main(int argc, char *argv[]) { if (strcmp(argv[1], "D") == 0) turn_connection_off (name); else { - ipsec_norules(); fprintf(stderr, "Bad command\n"); exit(1); }