Merge branch 'master' into ppp-update
authorMichael Tremer <michael.tremer@ipfire.org>
Wed, 30 Jun 2010 09:36:50 +0000 (11:36 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Wed, 30 Jun 2010 09:36:50 +0000 (11:36 +0200)
16 files changed:
config/etc/ipsec.user.conf [new file with mode: 0644]
config/etc/ipsec.user.secrets [new file with mode: 0644]
config/rootfiles/common/stage2
config/rootfiles/common/strongswan
config/rootfiles/core/38/filelists/files
config/rootfiles/core/38/update.sh
config/rootfiles/core/39/exclude [new file with mode: 0644]
config/rootfiles/core/39/filelists/files [new file with mode: 0644]
config/rootfiles/core/39/meta [new file with mode: 0644]
config/rootfiles/core/39/update.sh [new file with mode: 0644]
html/cgi-bin/ids.cgi
html/cgi-bin/vpnmain.cgi
make.sh
src/misc-progs/ipsecctrl.c
src/misc-progs/rebuildhosts.c
src/scripts/vpn-watch

diff --git a/config/etc/ipsec.user.conf b/config/etc/ipsec.user.conf
new file mode 100644 (file)
index 0000000..19f35db
--- /dev/null
@@ -0,0 +1,2 @@
+# user connections that should not overwritten by the webif
+#
diff --git a/config/etc/ipsec.user.secrets b/config/etc/ipsec.user.secrets
new file mode 100644 (file)
index 0000000..0e0858a
--- /dev/null
@@ -0,0 +1,2 @@
+# user secrets that should not overwritten by the webif
+#
index f542667..a7655e6 100644 (file)
@@ -15,6 +15,8 @@ etc/hddtemp.db
 etc/host.conf
 etc/inittab
 etc/inputrc
+#etc/ipsec.user.conf
+#etc/ipsec.user.secrets
 etc/issue
 etc/ld.so.conf
 etc/logrotate.conf
index 4367cd0..bd0f1de 100644 (file)
@@ -1,4 +1,5 @@
 etc/ipsec.conf
+etc/ipsec.user.conf
 #etc/ipsec.d
 etc/ipsec.d/aacerts
 etc/ipsec.d/acerts
@@ -9,6 +10,7 @@ etc/ipsec.d/ocspcerts
 etc/ipsec.d/private
 etc/ipsec.d/reqs
 etc/ipsec.secrets
+etc/ipsec.user.secrets
 etc/strongswan.conf
 #usr/lib/libcharon.a
 #usr/lib/libcharon.la
index ee03488..c6e13b7 100644 (file)
@@ -55,6 +55,7 @@ etc/rc.d/init.d/network
 etc/rc.d/init.d/ntp
 etc/rc.d/init.d/modules
 usr/local/bin/ipsecctrl
+usr/local/bin/rebuildhosts
 usr/local/bin/syslogdctrl
 usr/local/bin/wirelessctrl
 usr/local/sbin/setup
index 1c65373..dc643fe 100644 (file)
@@ -61,6 +61,9 @@ echo boot >> /opt/pakfire/tmp/ROOTFILES
 echo etc/sysconfig/lm_sensors >> /opt/pakfire/tmp/ROOTFILES
 echo usr/lib/ipsec >> /opt/pakfire/tmp/ROOTFILES
 echo usr/libexec/ipsec >> /opt/pakfire/tmp/ROOTFILES
+# exclude squid cache from backup
+sed -i -e "s|^var/log/cache|#var/log/cache|g" /opt/pakfire/tmp/ROOTFILES
+# Backup the files
 tar cjvf /var/ipfire/backup/core-upgrade_$KVER.tar.bz2 \
     -C / -T /opt/pakfire/tmp/ROOTFILES --exclude='#*' > /dev/null 2>&1
 
diff --git a/config/rootfiles/core/39/exclude b/config/rootfiles/core/39/exclude
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/config/rootfiles/core/39/filelists/files b/config/rootfiles/core/39/filelists/files
new file mode 100644 (file)
index 0000000..0037af1
--- /dev/null
@@ -0,0 +1 @@
+etc/system-release
diff --git a/config/rootfiles/core/39/meta b/config/rootfiles/core/39/meta
new file mode 100644 (file)
index 0000000..d547fa8
--- /dev/null
@@ -0,0 +1 @@
+DEPS=""
diff --git a/config/rootfiles/core/39/update.sh b/config/rootfiles/core/39/update.sh
new file mode 100644 (file)
index 0000000..057a6f4
--- /dev/null
@@ -0,0 +1,42 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 3 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2010 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+#
+#Stop services
+
+#
+#Extract files
+extract_files
+#
+#Start services
+
+#
+#Update Language cache
+perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
+
+#
+#Finish
+#Don't report the exitcode last command
+exit 0
index 353643d..1d0f4ab 100644 (file)
@@ -143,7 +143,7 @@ if (-e "/etc/snort/snort.conf") {
                                        # If see more than one dashed line, (start to) create rule file description
                                        if ($dashlinecnt > 1) {
                                                # Check for a line starting with a #
-                                               if ($ruleline =~ /^\#/) {
+                                               if ($ruleline =~ /^\#/ and $ruleline !~ /^\#alert/) {
                                                        # Create tempruleline
                                                        my $tempruleline = $ruleline;
 
index 85bb713..2ed83f0 100644 (file)
@@ -289,6 +289,12 @@ sub writeipsecfiles {
     #print CONF "\tdisablearrivalcheck=no\n";
     print CONF "\n";
 
+    # Add user includes to config file
+    print CONF "include /etc/ipsec.user.conf\n";
+    print CONF "\n";
+
+    print SECRETS "include /etc/ipsec.user/secrets\n";
+
     if (-f "${General::swroot}/certs/hostkey.pem") {
         print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"
     }
diff --git a/make.sh b/make.sh
index 1f304e8..03806c8 100755 (executable)
--- a/make.sh
+++ b/make.sh
@@ -25,7 +25,7 @@
 NAME="IPFire"                                                  # Software name
 SNAME="ipfire"                                                 # Short name
 VERSION="2.7"                                                  # Version number
-CORE="38"                                                      # Core Level (Filename)
+CORE="39"                                                      # Core Level (Filename)
 PAKFIRE_CORE="38"                                              # Core Level (PAKFIRE)
 GIT_BRANCH=`git status | head -n1 | cut -d" " -f4`             # Git Branch
 SLOGAN="www.ipfire.org"                                                # Software slogan
index 2e8ca53..51f6b5a 100644 (file)
@@ -141,16 +141,11 @@ int decode_line (char *s,
     issue ipsec commmands to turn on connection 'name'
 */
 void turn_connection_on (char *name, char *type) {
-        char command[STRING_SIZE];
-       FILE *file = NULL;
-
-       if (file = fopen("/var/run/vpn-watch.pid", "r")) {
-           safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
-           safe_system("unlink /var/run/vpn-watch.pid");
-           close(file);
-       }
+/*
+    if you find a way to start a single connection without changing all add it
+    here. Change also vpn-watch.
+*/
         safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
-        safe_system("/usr/local/bin/vpn-watch &");
 }
 /*
     issue ipsec commmands to turn off connection 'name'
@@ -193,6 +188,12 @@ int main(int argc, char *argv[]) {
 
  /* Get vpnwatch pid */
 
+
+       if ((argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) {
+           safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
+           safe_system("unlink /var/run/vpn-watch.pid");
+           close(file);
+       }
  
         /* FIXME: workaround for pclose() issue - still no real idea why
          * this is happening */
@@ -338,6 +339,8 @@ int main(int argc, char *argv[]) {
 
         // start the system
         if ((argc == 2) && strcmp(argv[1], "S") == 0) {
+               safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
+               safe_system("/usr/local/bin/vpn-watch &");
                 exit(0);
         }
 
index 115cdba..0840887 100644 (file)
-/* IPCop helper program - rebuildhosts\r
- *\r
- * This program is distributed under the terms of the GNU General Public\r
- * Licence.  See the file COPYING for details.\r
- *\r
- * (c) Alan Hourihane, 2003\r
- * \r
- *\r
- * $Id: rebuildhosts.c,v 1.3.2.6 2005/07/11 10:56:47 franck78 Exp $\r
- *\r
- */\r
-\r
-#include "libsmooth.h"\r
-#include <stdio.h>\r
-#include <stdlib.h>\r
-#include <unistd.h>\r
-#include <fcntl.h>\r
-#include <string.h>\r
-#include <sys/types.h>\r
-#include <sys/stat.h>\r
-#include <signal.h>\r
-#include "setuid.h"\r
-\r
-FILE *fd = NULL;\r
-FILE *hosts = NULL;\r
-struct keyvalue *kv = NULL;\r
-\r
-void exithandler(void)\r
-{\r
-       if (kv)\r
-               freekeyvalues(kv);\r
-       if (fd)\r
-               fclose(fd);\r
-       if (hosts)\r
-               fclose(hosts);\r
-}\r
-\r
-int main(int argc, char *argv[])\r
-{\r
-       int fdpid; \r
-       char hostname[STRING_SIZE];\r
-       char domainname[STRING_SIZE] = "";\r
-       char buffer[STRING_SIZE];\r
-       char address[STRING_SIZE];\r
-       char *active, *ip, *host, *domain;\r
-       int pid;\r
-\r
-       if (!(initsetuid()))\r
-               exit(1);\r
-\r
-       atexit(exithandler);\r
-\r
-       memset(buffer, 0, STRING_SIZE);\r
-\r
-       kv = initkeyvalues();\r
-       if (!(readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")))\r
-       {\r
-               fprintf(stderr, "Couldn't read ethernet settings\n");\r
-               exit(1);\r
-       }\r
-       findkey(kv, "GREEN_ADDRESS", address);\r
-       freekeyvalues(kv);\r
-\r
-       kv = initkeyvalues();\r
-       if (!(readkeyvalues(kv, CONFIG_ROOT "/main/settings")))\r
-       {\r
-               fprintf(stderr, "Couldn't read main settings\n");\r
-               exit(1);\r
-       }\r
-       strcpy(hostname, SNAME ); \r
-       findkey(kv, "HOSTNAME", hostname);\r
-       findkey(kv, "DOMAINNAME", domainname);\r
-       freekeyvalues(kv);\r
-       kv = NULL;\r
-\r
-       if (!(fd = fopen(CONFIG_ROOT "/main/hosts", "r")))\r
-       {\r
-               fprintf(stderr, "Couldn't open main hosts file\n");\r
-               exit(1);\r
-       }\r
-       if (!(hosts = fopen("/etc/hosts", "w")))\r
-       {\r
-               fprintf(stderr, "Couldn't open /etc/hosts file\n");\r
-               fclose(fd);\r
-               fd = NULL;\r
-               exit(1);\r
-       }\r
-       fprintf(hosts, "127.0.0.1\tlocalhost\n");\r
-       if (strlen(domainname))\r
-               fprintf(hosts, "%s\t%s.%s\t%s\n",address,hostname,domainname,hostname);\r
-       else\r
-               fprintf(hosts, "%s\t%s\n",address,hostname);\r
-       while (fgets(buffer, STRING_SIZE, fd))\r
-       {\r
-               buffer[strlen(buffer) - 1] = 0;\r
-               if (buffer[0]==',') continue;           /* disabled if empty field      */\r
-               active = strtok(buffer, ",");\r
-               if (strcmp(active, "off")==0) continue; /* or 'off'                     */\r
-               \r
-               ip = strtok(NULL, ",");\r
-               host = strtok(NULL, ",");\r
-               domain = strtok(NULL, ",");\r
-\r
-               if (!(ip && host))\r
-                       continue;       // bad line ? skip\r
-\r
-               if (!VALID_IP(ip))\r
-               {\r
-                       fprintf(stderr, "Bad IP: %s\n", ip);\r
-                       continue;       /*  bad ip, skip */\r
-               }\r
-\r
-               if (strspn(host, LETTERS_NUMBERS "-") != strlen(host))\r
-               {\r
-                       fprintf(stderr, "Bad Host: %s\n", host);\r
-                       continue;       /*  bad name, skip */\r
-               }\r
-\r
-               if (domain)\r
-                       fprintf(hosts, "%s\t%s.%s\t%s\n",ip,host,domain,host);\r
-               else\r
-                       fprintf(hosts, "%s\t%s\n",ip,host);\r
-       }\r
-       fclose(fd);\r
-       fd = NULL;\r
-       fclose(hosts);\r
-       hosts = NULL;\r
-\r
-       if ((fdpid = open("/var/run/dnsmasq.pid", O_RDONLY)) == -1)\r
-       {\r
-               fprintf(stderr, "Couldn't open pid file\n");\r
-               exit(1);\r
-       }\r
-       if (read(fdpid, buffer, STRING_SIZE - 1) == -1)\r
-       {\r
-               fprintf(stderr, "Couldn't read from pid file\n");\r
-               close(fdpid);\r
-               exit(1);\r
-       }\r
-       close(fdpid);\r
-       pid = atoi(buffer);\r
-       if (pid <= 1)\r
-       {\r
-               fprintf(stderr, "Bad pid value\n");\r
-               exit(1);\r
-       }\r
-       if (kill(pid, SIGHUP) == -1)\r
-       {\r
-               fprintf(stderr, "Unable to send SIGHUP\n");\r
-               exit(1);\r
-       }\r
-\r
-       return 0;\r
-}\r
+/* IPCop helper program - rebuildhosts
+ *
+ * This program is distributed under the terms of the GNU General Public
+ * Licence.  See the file COPYING for details.
+ *
+ * (c) Alan Hourihane, 2003
+ * 
+ *
+ * $Id: rebuildhosts.c,v 1.3.2.6 2005/07/11 10:56:47 franck78 Exp $
+ *
+ */
+
+#include "libsmooth.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <signal.h>
+#include "setuid.h"
+
+FILE *fd = NULL;
+FILE *hosts = NULL;
+FILE *gw = NULL;
+struct keyvalue *kv = NULL;
+
+void exithandler(void)
+{
+       if (kv)
+               freekeyvalues(kv);
+       if (fd)
+               fclose(fd);
+       if (hosts)
+               fclose(hosts);
+       if (gw)
+               fclose(gw);
+}
+
+int main(int argc, char *argv[])
+{
+       int fdpid; 
+       char hostname[STRING_SIZE];
+       char domainname[STRING_SIZE] = "";
+       char gateway[STRING_SIZE] = "";
+       char buffer[STRING_SIZE];
+       char address[STRING_SIZE];
+       char *active, *ip, *host, *domain;
+       int pid;
+
+       if (!(initsetuid()))
+               exit(1);
+
+       atexit(exithandler);
+
+       memset(buffer, 0, STRING_SIZE);
+
+       kv = initkeyvalues();
+       if (!(readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")))
+       {
+               fprintf(stderr, "Couldn't read ethernet settings\n");
+               exit(1);
+       }
+       findkey(kv, "GREEN_ADDRESS", address);
+       freekeyvalues(kv);
+
+       kv = initkeyvalues();
+       if (!(readkeyvalues(kv, CONFIG_ROOT "/main/settings")))
+       {
+               fprintf(stderr, "Couldn't read main settings\n");
+               exit(1);
+       }
+       strcpy(hostname, SNAME ); 
+       findkey(kv, "HOSTNAME", hostname);
+       findkey(kv, "DOMAINNAME", domainname);
+       freekeyvalues(kv);
+       kv = NULL;
+
+       if (!(gw = fopen(CONFIG_ROOT "/red/remote-ipaddress", "r")))
+       {
+               fprintf(stderr, "Couldn't open remote-ipaddress file\n");
+               fclose(gw);
+               gw = NULL;
+               exit(1);
+       }
+
+       if (fgets(gateway, STRING_SIZE, gw) == NULL)
+       {
+               fprintf(stderr, "Couldn't read remote-ipaddress\n");
+               exit(1);
+       }
+
+       if (!(fd = fopen(CONFIG_ROOT "/main/hosts", "r")))
+       {
+               fprintf(stderr, "Couldn't open main hosts file\n");
+               exit(1);
+       }
+
+       if (!(hosts = fopen("/etc/hosts", "w")))
+       {
+               fprintf(stderr, "Couldn't open /etc/hosts file\n");
+               fclose(fd);
+               fd = NULL;
+               exit(1);
+       }
+       fprintf(hosts, "127.0.0.1\tlocalhost\n");
+       if (strlen(domainname))
+               fprintf(hosts, "%s\t%s.%s\t%s\n",address,hostname,domainname,hostname);
+       else
+               fprintf(hosts, "%s\t%s\n",address,hostname);
+
+       fprintf(hosts, "%s\tgateway\n",gateway);
+
+       while (fgets(buffer, STRING_SIZE, fd))
+       {
+               buffer[strlen(buffer) - 1] = 0;
+               if (buffer[0]==',') continue;           /* disabled if empty field      */
+               active = strtok(buffer, ",");
+               if (strcmp(active, "off")==0) continue; /* or 'off'                     */
+               
+               ip = strtok(NULL, ",");
+               host = strtok(NULL, ",");
+               domain = strtok(NULL, ",");
+
+               if (!(ip && host))
+                       continue;       // bad line ? skip
+
+               if (!VALID_IP(ip))
+               {
+                       fprintf(stderr, "Bad IP: %s\n", ip);
+                       continue;       /*  bad ip, skip */
+               }
+
+               if (strspn(host, LETTERS_NUMBERS "-") != strlen(host))
+               {
+                       fprintf(stderr, "Bad Host: %s\n", host);
+                       continue;       /*  bad name, skip */
+               }
+
+               if (domain)
+                       fprintf(hosts, "%s\t%s.%s\t%s\n",ip,host,domain,host);
+               else
+                       fprintf(hosts, "%s\t%s\n",ip,host);
+       }
+       fclose(fd);
+       fd = NULL;
+       fclose(hosts);
+       hosts = NULL;
+
+       if ((fdpid = open("/var/run/dnsmasq.pid", O_RDONLY)) == -1)
+       {
+               fprintf(stderr, "Couldn't open pid file\n");
+               exit(1);
+       }
+       if (read(fdpid, buffer, STRING_SIZE - 1) == -1)
+       {
+               fprintf(stderr, "Couldn't read from pid file\n");
+               close(fdpid);
+               exit(1);
+       }
+       close(fdpid);
+       pid = atoi(buffer);
+       if (pid <= 1)
+       {
+               fprintf(stderr, "Bad pid value\n");
+               exit(1);
+       }
+       if (kill(pid, SIGHUP) == -1)
+       {
+               fprintf(stderr, "Unable to send SIGHUP\n");
+               exit(1);
+       }
+
+       return 0;
+}
index 3f7757a..0c5f62d 100755 (executable)
@@ -1,6 +1,6 @@
 #!/usr/bin/perl 
 ##################################################
-#####     VPN-Watch.pl     Version 0.4c      #####
+#####     VPN-Watch.pl     Version 0.      #####
 ##################################################
 #                                                #
 #   VPN-Watch is part of the IPFire Firewall     #
@@ -24,13 +24,17 @@ if ( -e $file ){
   }
 
 system("echo $$ > $file");
-    
+my $round=0;
 while ( $i == 0){
   if ($debug){logger("We will wait 60 seconds before next action.");}
     sleep(60);
-  
-  if (open(FILE, "<${General::swroot}/vpn/config")) {
-    @vpnsettings = <FILE>;
+
+  $round++;
+
+   # Reset roundcounter after 10 min. To do established check.
+  if ($round > 9) { $round=0 }
+
+  if (open(FILE, "<${General::swroot}/vpn/config")) {    @vpnsettings = <FILE>;
     close(FILE);
     unless(@vpnsettings) {exit 1;}
   }
@@ -50,12 +54,21 @@ foreach (@vpnsettings){
   
   my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip);
   if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}}
-  my $ipmatch= `echo "$status" | grep $remoteip | grep $settings[2]`;
+  my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`;
+  my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`; 
   
   if ( $ipmatch eq '' ){
-    logger("Remote IP for host $remotehostname-$remoteip has changed, restarting ipsec.");
-    system("/usr/local/bin/ipsecctrl S");
+    logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec.");
+    system("/usr/local/bin/ipsecctrl S $settings[0]");
     last; #all connections will reloaded
+          #remove this if ipsecctrl can restart single con again
+  }
+  if ( ($round = 0) && ($established eq '')) {
+    logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec.");
+    system("/usr/local/bin/ipsecctrl S $settings[0]");
+    last; #all connections will reloaded
+          #remove this if ipsecctrl can restart single con again
+
   }
  }
  if ($debug){logger("All connections may be fine nothing was done.");}
@@ -65,4 +78,3 @@ sub logger {
         my $log = shift;
         system("logger -t vpnwatch \"$log\"");
 }
-