X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Fmisc-progs%2Fipsecctrl.c;h=ae3899619deeb23b4216fa3428a63cb2fee4fc3a;hp=d974d6c6a5df66d2f48c581294ab94922b3858c4;hb=0d181206ca614936a3f8715e78baaf4850c6127b;hpb=90070fc927c8d8a3a37d0eb818a2c611c4e62fc7

diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
index d974d6c6a5..ae3899619d 100644
--- a/src/misc-progs/ipsecctrl.c
+++ b/src/misc-progs/ipsecctrl.c
@@ -58,12 +58,17 @@ void open_physical (char *interface, int nat_traversal_port) {
 //        sprintf(str, "/sbin/iptables -A " phystable " -p 51  -i %s -j ACCEPT", interface);
 //        safe_system(str);
         // IKE
+
+        sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
+        safe_system(str);
         sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface);
         safe_system(str);
 
         if (! nat_traversal_port) 
             return;
 
+        sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
+        safe_system(str);
         sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
         safe_system(str);
 }
@@ -136,15 +141,11 @@ int decode_line (char *s,
     issue ipsec commmands to turn on connection 'name'
 */
 void turn_connection_on (char *name, char *type) {
-        char command[STRING_SIZE];
-
-        safe_system("/usr/sbin/ipsec reload >/dev/null");
-        memset(command, 0, STRING_SIZE);
-        /* give ipsec time to be ready */
-        safe_system("/bin/sleep 2");
-        snprintf(command, STRING_SIZE - 1, 
-                "/usr/sbin/ipsec up %s >/dev/null", name);
-        safe_system(command);
+/*
+    if you find a way to start a single connection without changing all add it
+    here. Change also vpn-watch.
+*/
+        safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
 }
 /*
     issue ipsec commmands to turn off connection 'name'
@@ -177,21 +178,24 @@ int main(int argc, char *argv[]) {
 
         if (strcmp(argv[1], "I") == 0) {
                 safe_system("/usr/sbin/ipsec whack --status");
+                safe_system("/usr/sbin/ipsec stroke status");
                 exit(0);
         }
 
         if (strcmp(argv[1], "R") == 0) {
                 safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null");
+                safe_system("/usr/sbin/ipsec stroke rereadall >/dev/null");
                 exit(0);
         }
 
  /* Get vpnwatch pid */
 
- if ( (argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) {
- safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
- safe_system("unlink /var/run/vpn-watch.pid");
- close(file);
- }
+
+	if ((argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) {
+	    safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
+	    safe_system("unlink /var/run/vpn-watch.pid");
+	    close(file);
+	}
  
         /* FIXME: workaround for pclose() issue - still no real idea why
          * this is happening */
@@ -200,21 +204,18 @@ int main(int argc, char *argv[]) {
         /* handle operations that doesn't need start the ipsec system */
         if (argc == 2) {
                 if (strcmp(argv[1], "D") == 0) {
-                        ipsec_norules();
                         /* Only shutdown pluto if it really is running */
                         /* Get pluto pid */
                         if (file = fopen("/var/run/pluto.pid", "r")) {
                                 safe_system("/etc/rc.d/init.d/ipsec stop 2> /dev/null >/dev/null");
                                 close(file);
                         }
+                        ipsec_norules();
                         exit(0);
                 }
 
         }
 
-        /* clear iptables vpn rules */
-        ipsec_norules();
-
         /* read vpn config */
         kv=initkeyvalues();
         if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings"))
@@ -340,15 +341,14 @@ int main(int argc, char *argv[]) {
 
         // start the system
         if ((argc == 2) && strcmp(argv[1], "S") == 0) {
-                safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
-                safe_system("/usr/local/bin/vpn-watch &");
+		safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
+		safe_system("/usr/local/bin/vpn-watch &");
                 exit(0);
         }
 
         // it is a selective start or stop
         // second param is only a number 'key'
         if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) {
-                ipsec_norules();
                 fprintf(stderr, "Bad arg\n");
                 usage();
                 exit(1);
@@ -356,7 +356,6 @@ int main(int argc, char *argv[]) {
 
         // search the vpn pointed by 'key'
         if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {
-                ipsec_norules();
                 fprintf(stderr, "Couldn't open vpn settings file");
                 exit(1);
         }
@@ -386,7 +385,6 @@ int main(int argc, char *argv[]) {
                 if (strcmp(argv[1], "D") == 0)
                         turn_connection_off (name);
                 else {
-                        ipsec_norules();
                         fprintf(stderr, "Bad command\n");
                         exit(1);
                 }