[people/teissler/ipfire-2.x.git] / src / misc-progs / ipsecctrl.c

/*\r
 *\r
 * File originally from the Smoothwall project\r
 * (c) 2001 Smoothwall Team\r
 *\r
 * $Id: ipsecctrl.c,v 1.5.2.14 2005/05/15 12:58:28 rkerr Exp $\r
 *\r
 */\r
\r
#include "libsmooth.h"\r
#include <stdio.h>\r
#include <stdlib.h>\r
#include <string.h>\r
#include <unistd.h>\r
#include <sys/types.h>\r
#include <sys/stat.h>\r
#include <signal.h>\r
#include "setuid.h"\r
\r
void usage() {\r
	fprintf (stderr, "Usage:\n");\r
	fprintf (stderr, "\tipsecctrl S [connectionkey]\n");\r
	fprintf (stderr, "\tipsecctrl D [connectionkey]\n");\r
	fprintf (stderr, "\tipsecctrl R\n");\r
	fprintf (stderr, "\t\tS : Start/Restart Connection\n");\r
	fprintf (stderr, "\t\tD : Stop Connection\n");\r
	fprintf (stderr, "\t\tR : Reload Certificates and Secrets\n");\r
}\r
\r
void loadalgmodules() {\r
	safe_system("/sbin/modprobe ipsec_3des");\r
	safe_system("/sbin/modprobe ipsec_aes");\r
	safe_system("/sbin/modprobe ipsec_blowfish");\r
	safe_system("/sbin/modprobe ipsec_md5");\r
	safe_system("/sbin/modprobe ipsec_serpent");\r
	safe_system("/sbin/modprobe ipsec_sha1");\r
	safe_system("/sbin/modprobe ipsec_sha2");\r
	safe_system("/sbin/modprobe ipsec_twofish");\r
}\r
\r
void ipsecrules(char *chain, char *interface)\r
{\r
	char str[STRING_SIZE];\r
\r
	sprintf(str, "/sbin/iptables -A %s -p 47  -i %s -j ACCEPT", chain, interface);\r
	safe_system(str);\r
	sprintf(str, "/sbin/iptables -A %s -p 50  -i %s -j ACCEPT", chain, interface);\r
	safe_system(str);\r
	sprintf(str, "/sbin/iptables -A %s -p 51  -i %s -j ACCEPT", chain, interface);\r
	safe_system(str);\r
	sprintf(str, "/sbin/iptables -A %s -p udp -i %s --sport 500 --dport 500 -j ACCEPT", chain, interface);\r
	safe_system(str);\r
	sprintf(str, "/sbin/iptables -A %s -p udp -i %s --dport 4500 -j ACCEPT", chain, interface);\r
	safe_system(str);\r
}\r
\r
void addaliasinterfaces(char *configtype, char *redtype, char *redif, char *enablered, char*enableblue)\r
{\r
	FILE *file = NULL;\r
	char s[STRING_SIZE];\r
	char *sptr;\r
	char *aliasip=NULL;\r
	char *enabled=NULL;\r
	char *comment=NULL;\r
	int count=0;\r
	int alias=0;\r
	int add=0;\r
\r
	if ( strcmp(enablered, "on") == 0 ) \r
		add += 1;\r
	if ( strcmp(enableblue, "on") == 0 )\r
		add += 1;\r
	\r
	/* Check for CONFIG_TYPE=2 or 3 i.e. RED ethernet present. If not,\r
	* exit gracefully.  This is not an error... */\r
	if (!((strcmp(configtype, "2")==0) || (strcmp(configtype, "3")==0) || (strcmp(configtype, "6")==0) || (strcmp(configtype, "7")==0)))\r
		return;\r
\r
        /* Now check the RED_TYPE - aliases only work with STATIC. */\r
	if (!(strcmp(redtype, "STATIC")==0))\r
		return;\r
\r
	/* Now set up the new aliases from the config file */\r
	if (!(file = fopen(CONFIG_ROOT "/ethernet/aliases", "r")))\r
	{\r
		fprintf(stderr, "Unable to open aliases configuration file\n");\r
		return;\r
	}\r
\r
	while (fgets(s, STRING_SIZE, file) != NULL && (add+alias) < 16)\r
	{\r
		if (s[strlen(s) - 1] == '\n')\r
			s[strlen(s) - 1] = '\0';\r
		sptr = strtok(s, ",");\r
		count = 0;\r
		aliasip = NULL;\r
		enabled = NULL;\r
		comment = NULL;\r
		while (sptr)\r
		{\r
			if (count == 0)\r
				aliasip = sptr;\r
			if (count == 1)\r
				enabled = sptr;\r
			else\r
				comment = sptr;\r
			count++;\r
			sptr = strtok(NULL, ",");\r
		}\r
\r
		if (!(aliasip && enabled))\r
			continue;\r
\r
		if (!VALID_IP(aliasip))\r
		{\r
			fprintf(stderr, "Bad alias : %s\n", aliasip);\r
			return;\r
		}\r
\r
		if (strcmp(enabled, "on") == 0)\r
		{\r
			memset(s, 0, STRING_SIZE);\r
			snprintf(s, STRING_SIZE-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", alias+add, redif, alias);\r
			safe_system(s);\r
			alias++;\r
		}\r
	}\r
}\r
\r
int main(int argc, char *argv[]) {\r
	int count;\r
	char s[STRING_SIZE];\r
	char configtype[STRING_SIZE];\r
	char redtype[STRING_SIZE] = "";\r
	char command[STRING_SIZE];\r
	char *result;\r
	char *key;\r
	char *enabled;\r
	char *name;\r
	char *type;\r
	char *running;\r
	FILE *file = NULL;\r
	struct keyvalue *kv = NULL;\r
	char enablered[STRING_SIZE] = "off";\r
	char enableblue[STRING_SIZE] = "off";\r
	char redif[STRING_SIZE] = "";;\r
	char blueif[STRING_SIZE] = "";\r
	FILE *ifacefile = NULL;\r
			\r
	if (!(initsetuid()))\r
		exit(1);\r
	\r
	if (argc < 2) {\r
		usage();\r
		exit(1);\r
	}\r
\r
	/* FIXME: workaround for pclose() issue - still no real idea why\r
	 * this is happening */\r
	signal(SIGCHLD, SIG_DFL);\r
\r
	/* Init the keyvalue structure */\r
	kv=initkeyvalues();\r
\r
	/* Read in the current values */\r
	if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings"))\r
	{\r
		fprintf(stderr, "Cannot read vpn settings\n");\r
		exit(1);\r
	}\r
\r
	findkey(kv, "ENABLED", enablered);\r
	findkey(kv, "ENABLED_BLUE", enableblue);\r
\r
	freekeyvalues(kv);\r
	kv=initkeyvalues();\r
\r
	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))\r
	{\r
		fprintf(stderr, "Cannot read ethernet settings\n");\r
		exit(1);\r
	}\r
\r
	if (!findkey(kv, "CONFIG_TYPE", configtype))\r
	{\r
		fprintf(stderr, "Cannot read CONFIG_TYPE\n");\r
		exit(1);\r
	}\r
\r
	findkey(kv, "RED_TYPE", redtype);\r
	findkey(kv, "BLUE_DEV", blueif);\r
	freekeyvalues(kv);\r
	memset(redif, 0, STRING_SIZE);\r
\r
	if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))\r
	{\r
		if (fgets(redif, STRING_SIZE, ifacefile))\r
		{\r
			if (redif[strlen(redif) - 1] == '\n')\r
				redif[strlen(redif) - 1] = '\0';\r
		}\r
		fclose (ifacefile);\r
		ifacefile = NULL;\r
\r
		if (!VALID_DEVICE(redif))\r
		{\r
			memset(redif, 0, STRING_SIZE);\r
		}\r
	}\r
\r
	safe_system("/sbin/iptables -F IPSECRED");\r
	if (!strcmp(enablered, "on") && strlen(redif)) {\r
		ipsecrules("IPSECRED", redif);\r
	}\r
\r
	safe_system("/sbin/iptables -F IPSECBLUE");\r
	if (!strcmp(enableblue, "on")) {\r
		if (VALID_DEVICE(blueif))\r
			ipsecrules("IPSECBLUE", blueif);\r
		else\r
		{\r
			fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n");\r
			exit(1);\r
		}\r
	}\r
\r
	/* Only shutdown pluto if it really is running */\r
	if (argc == 2) {\r
		if (strcmp(argv[1], "D") == 0) {\r
			int fd;\r
   			/* Get pluto pid */\r
   			if ((fd = open("/var/run/pluto.pid", O_RDONLY)) != -1) {\r
				safe_system("/etc/rc.d/ipsec stop 2> /dev/null >/dev/null");\r
				close(fd);\r
			}\r
		}\r
	}\r
\r
	if ((strcmp(enablered, "on") || !strlen(redif)) && strcmp(enableblue, "on"))\r
		exit(0);\r
\r
	if (argc == 2) {\r
		if (strcmp(argv[1], "S") == 0) {\r
			loadalgmodules();\r
			safe_system("/usr/sbin/ipsec tncfg --clear >/dev/null");\r
			safe_system("/etc/rc.d/ipsec restart >/dev/null");\r
			addaliasinterfaces(configtype, redtype, redif, enablered, enableblue);\r
		} else if (strcmp(argv[1], "R") == 0) {\r
			safe_system("/usr/sbin/ipsec auto --rereadall");\r
		} else {\r
			fprintf(stderr, "Bad arg\n");\r
			usage();\r
			exit(1);\r
		}\r
	} else if (strspn(argv[2], NUMBERS) == strlen(argv[2])) {\r
		if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {\r
			fprintf(stderr, "Couldn't open vpn settings file");\r
			exit(1);\r
		}\r
		while (fgets(s, STRING_SIZE, file) != NULL) {\r
			if (s[strlen(s) - 1] == '\n')\r
				s[strlen(s) - 1] = '\0';\r
			running = strdup (s);\r
			result = strsep(&running, ",");\r
			count = 0;\r
			key = NULL;\r
			name = NULL;\r
			enabled = NULL;\r
			type = NULL;\r
			while (result) {\r
				if (count == 0)\r
					key = result;\r
				if (count == 1)\r
					enabled = result;	\r
				if (count == 2)\r
					name = result;\r
				if (count == 4)\r
					type = result;\r
				count++;\r
				result = strsep(&running, ",");\r
			}\r
			if (strcmp(key, argv[2]) != 0)\r
				continue;\r
			\r
			if (!(name && enabled))\r
				continue;\r
			\r
			if (strspn(name, LETTERS_NUMBERS) != strlen(name)) {\r
				fprintf(stderr, "Bad connection name: %s\n", name);\r
				goto EXIT;\r
			}\r
\r
			if (! (strcmp(type, "host") == 0 || strcmp(type, "net") == 0)) {\r
				fprintf(stderr, "Bad connection type: %s\n", type);\r
				goto EXIT;\r
			}\r
			\r
			if (strcmp(argv[1], "S") == 0 && strcmp(enabled, "on") == 0) {\r
				safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");\r
				memset(command, 0, STRING_SIZE);\r
				snprintf(command, STRING_SIZE - 1, \r
					"/usr/sbin/ipsec auto --replace %s >/dev/null", name);\r
				safe_system(command);\r
				if (strcmp(type, "net") == 0) {\r
					memset(command, 0, STRING_SIZE);\r
					snprintf(command, STRING_SIZE - 1, \r
						"/usr/sbin/ipsec auto --asynchronous --up %s >/dev/null", name);\r
					safe_system(command);\r
				}\r
			} else if (strcmp(argv[1], "D") == 0) {\r
				safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");\r
				memset(command, 0, STRING_SIZE);\r
				snprintf(command, STRING_SIZE - 1, \r
					"/usr/sbin/ipsec auto --down %s >/dev/null", name);\r
				safe_system(command);\r
				memset(command, 0, STRING_SIZE);\r
				snprintf(command, STRING_SIZE - 1, \r
					"/usr/sbin/ipsec auto --delete %s >/dev/null", name);\r
				safe_system(command);\r
			}\r
		}\r
	} else {\r
		fprintf(stderr, "Bad arg\n");\r
		usage();\r
		exit(1);\r
	}\r
\r
EXIT:\r
	if (file)\r
		fclose(file);\r
	return 0;\r
}\r
Commit	Line	Data
cd1a2927 MT	1	/*\r
	2	*\r
	3	* File originally from the Smoothwall project\r
	4	* (c) 2001 Smoothwall Team\r
	5	*\r
	6	* $Id: ipsecctrl.c,v 1.5.2.14 2005/05/15 12:58:28 rkerr Exp $\r
	7	*\r
	8	*/\r
	9	\r
	10	#include "libsmooth.h"\r
	11	#include <stdio.h>\r
	12	#include <stdlib.h>\r
	13	#include <string.h>\r
	14	#include <unistd.h>\r
	15	#include <sys/types.h>\r
	16	#include <sys/stat.h>\r
	17	#include <signal.h>\r
	18	#include "setuid.h"\r
	19	\r
	20	void usage() {\r
	21	fprintf (stderr, "Usage:\n");\r
	22	fprintf (stderr, "\tipsecctrl S [connectionkey]\n");\r
	23	fprintf (stderr, "\tipsecctrl D [connectionkey]\n");\r
	24	fprintf (stderr, "\tipsecctrl R\n");\r
	25	fprintf (stderr, "\t\tS : Start/Restart Connection\n");\r
	26	fprintf (stderr, "\t\tD : Stop Connection\n");\r
	27	fprintf (stderr, "\t\tR : Reload Certificates and Secrets\n");\r
	28	}\r
	29	\r
	30	void loadalgmodules() {\r
	31	safe_system("/sbin/modprobe ipsec_3des");\r
	32	safe_system("/sbin/modprobe ipsec_aes");\r
	33	safe_system("/sbin/modprobe ipsec_blowfish");\r
	34	safe_system("/sbin/modprobe ipsec_md5");\r
	35	safe_system("/sbin/modprobe ipsec_serpent");\r
	36	safe_system("/sbin/modprobe ipsec_sha1");\r
	37	safe_system("/sbin/modprobe ipsec_sha2");\r
	38	safe_system("/sbin/modprobe ipsec_twofish");\r
	39	}\r
	40	\r
	41	void ipsecrules(char chain, char interface)\r
	42	{\r
	43	char str[STRING_SIZE];\r
	44	\r
	45	sprintf(str, "/sbin/iptables -A %s -p 47 -i %s -j ACCEPT", chain, interface);\r
	46	safe_system(str);\r
	47	sprintf(str, "/sbin/iptables -A %s -p 50 -i %s -j ACCEPT", chain, interface);\r
	48	safe_system(str);\r
	49	sprintf(str, "/sbin/iptables -A %s -p 51 -i %s -j ACCEPT", chain, interface);\r
	50	safe_system(str);\r
	51	sprintf(str, "/sbin/iptables -A %s -p udp -i %s --sport 500 --dport 500 -j ACCEPT", chain, interface);\r
	52	safe_system(str);\r
	53	sprintf(str, "/sbin/iptables -A %s -p udp -i %s --dport 4500 -j ACCEPT", chain, interface);\r
	54	safe_system(str);\r
	55	}\r
	56	\r
	57	void addaliasinterfaces(char configtype, char redtype, char redif, char enablered, char*enableblue)\r
	58	{\r
	59	FILE *file = NULL;\r
	60	char s[STRING_SIZE];\r
	61	char *sptr;\r
	62	char *aliasip=NULL;\r
	63	char *enabled=NULL;\r
	64	char *comment=NULL;\r
65	int count=0;\r
66	int alias=0;\r
67	int add=0;\r
68	\r
69	if ( strcmp(enablered, "on") == 0 ) \r
70	add += 1;\r
71	if ( strcmp(enableblue, "on") == 0 )\r
72	add += 1;\r
73	\r
74	/* Check for CONFIG_TYPE=2 or 3 i.e. RED ethernet present. If not,\r
75	* exit gracefully. This is not an error... */\r
76	if (!((strcmp(configtype, "2")==0) \|\| (strcmp(configtype, "3")==0) \|\| (strcmp(configtype, "6")==0) \|\| (strcmp(configtype, "7")==0)))\r
77	return;\r
78	\r
79	/* Now check the RED_TYPE - aliases only work with STATIC. */\r
80	if (!(strcmp(redtype, "STATIC")==0))\r
81	return;\r
82	\r
83	/* Now set up the new aliases from the config file */\r
84	if (!(file = fopen(CONFIG_ROOT "/ethernet/aliases", "r")))\r
85	{\r
86	fprintf(stderr, "Unable to open aliases configuration file\n");\r
87	return;\r
88	}\r
89	\r
90	while (fgets(s, STRING_SIZE, file) != NULL && (add+alias) < 16)\r
91	{\r
92	if (s[strlen(s) - 1] == '\n')\r
93	s[strlen(s) - 1] = '\0';\r
94	sptr = strtok(s, ",");\r
95	count = 0;\r
96	aliasip = NULL;\r
97	enabled = NULL;\r
98	comment = NULL;\r
99	while (sptr)\r
100	{\r
101	if (count == 0)\r
102	aliasip = sptr;\r
103	if (count == 1)\r
104	enabled = sptr;\r
105	else\r
106	comment = sptr;\r
107	count++;\r
108	sptr = strtok(NULL, ",");\r
109	}\r
110	\r
111	if (!(aliasip && enabled))\r
112	continue;\r
113	\r
114	if (!VALID_IP(aliasip))\r
115	{\r
116	fprintf(stderr, "Bad alias : %s\n", aliasip);\r
117	return;\r
118	}\r
119	\r
120	if (strcmp(enabled, "on") == 0)\r
121	{\r
122	memset(s, 0, STRING_SIZE);\r
123	snprintf(s, STRING_SIZE-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", alias+add, redif, alias);\r
124	safe_system(s);\r
125	alias++;\r
126	}\r
127	}\r
128	}\r
129	\r
130	int main(int argc, char *argv[]) {\r
131	int count;\r
132	char s[STRING_SIZE];\r
133	char configtype[STRING_SIZE];\r
134	char redtype[STRING_SIZE] = "";\r
135	char command[STRING_SIZE];\r
136	char *result;\r
137	char *key;\r
138	char *enabled;\r
139	char *name;\r
140	char *type;\r
141	char *running;\r
142	FILE *file = NULL;\r
143	struct keyvalue *kv = NULL;\r
144	char enablered[STRING_SIZE] = "off";\r
145	char enableblue[STRING_SIZE] = "off";\r
146	char redif[STRING_SIZE] = "";;\r
147	char blueif[STRING_SIZE] = "";\r
148	FILE *ifacefile = NULL;\r
149	\r
150	if (!(initsetuid()))\r
151	exit(1);\r
152	\r
153	if (argc < 2) {\r
154	usage();\r
155	exit(1);\r
156	}\r
157	\r
158	/* FIXME: workaround for pclose() issue - still no real idea why\r
159	* this is happening */\r
160	signal(SIGCHLD, SIG_DFL);\r
161	\r
162	/* Init the keyvalue structure */\r
163	kv=initkeyvalues();\r
164	\r
165	/* Read in the current values */\r
166	if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings"))\r
167	{\r
168	fprintf(stderr, "Cannot read vpn settings\n");\r
169	exit(1);\r
170	}\r
171	\r
172	findkey(kv, "ENABLED", enablered);\r
173	findkey(kv, "ENABLED_BLUE", enableblue);\r
174	\r
175	freekeyvalues(kv);\r
176	kv=initkeyvalues();\r
177	\r
178	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))\r
179	{\r
180	fprintf(stderr, "Cannot read ethernet settings\n");\r
181	exit(1);\r
182	}\r
183	\r
184	if (!findkey(kv, "CONFIG_TYPE", configtype))\r
185	{\r
186	fprintf(stderr, "Cannot read CONFIG_TYPE\n");\r
187	exit(1);\r
188	}\r
189	\r
190	findkey(kv, "RED_TYPE", redtype);\r
191	findkey(kv, "BLUE_DEV", blueif);\r
192	freekeyvalues(kv);\r
193	memset(redif, 0, STRING_SIZE);\r
194	\r
195	if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))\r
196	{\r
197	if (fgets(redif, STRING_SIZE, ifacefile))\r
198	{\r
199	if (redif[strlen(redif) - 1] == '\n')\r
200	redif[strlen(redif) - 1] = '\0';\r
201	}\r
202	fclose (ifacefile);\r
203	ifacefile = NULL;\r
204	\r
205	if (!VALID_DEVICE(redif))\r
206	{\r
207	memset(redif, 0, STRING_SIZE);\r
208	}\r
209	}\r
210	\r
211	safe_system("/sbin/iptables -F IPSECRED");\r
212	if (!strcmp(enablered, "on") && strlen(redif)) {\r
213	ipsecrules("IPSECRED", redif);\r
214	}\r
215	\r
216	safe_system("/sbin/iptables -F IPSECBLUE");\r
217	if (!strcmp(enableblue, "on")) {\r
218	if (VALID_DEVICE(blueif))\r
219	ipsecrules("IPSECBLUE", blueif);\r
220	else\r
221	{\r
222	fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n");\r
223	exit(1);\r
224	}\r
225	}\r
226	\r
227	/* Only shutdown pluto if it really is running */\r
228	if (argc == 2) {\r
229	if (strcmp(argv[1], "D") == 0) {\r
230	int fd;\r
231	/* Get pluto pid */\r
232	if ((fd = open("/var/run/pluto.pid", O_RDONLY)) != -1) {\r
233	safe_system("/etc/rc.d/ipsec stop 2> /dev/null >/dev/null");\r
234	close(fd);\r
235	}\r
236	}\r
237	}\r
238	\r
239	if ((strcmp(enablered, "on") \|\| !strlen(redif)) && strcmp(enableblue, "on"))\r
240	exit(0);\r
241	\r
242	if (argc == 2) {\r
243	if (strcmp(argv[1], "S") == 0) {\r
244	loadalgmodules();\r
245	safe_system("/usr/sbin/ipsec tncfg --clear >/dev/null");\r
246	safe_system("/etc/rc.d/ipsec restart >/dev/null");\r
247	addaliasinterfaces(configtype, redtype, redif, enablered, enableblue);\r
248	} else if (strcmp(argv[1], "R") == 0) {\r
249	safe_system("/usr/sbin/ipsec auto --rereadall");\r
250	} else {\r
251	fprintf(stderr, "Bad arg\n");\r
252	usage();\r
253	exit(1);\r
254	}\r
255	} else if (strspn(argv[2], NUMBERS) == strlen(argv[2])) {\r
256	if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {\r
257	fprintf(stderr, "Couldn't open vpn settings file");\r
258	exit(1);\r
259	}\r
260	while (fgets(s, STRING_SIZE, file) != NULL) {\r
261	if (s[strlen(s) - 1] == '\n')\r
262	s[strlen(s) - 1] = '\0';\r
263	running = strdup (s);\r
264	result = strsep(&running, ",");\r
265	count = 0;\r
266	key = NULL;\r
267	name = NULL;\r
268	enabled = NULL;\r
269	type = NULL;\r
270	while (result) {\r
271	if (count == 0)\r
272	key = result;\r
273	if (count == 1)\r
274	enabled = result; \r
275	if (count == 2)\r
276	name = result;\r
277	if (count == 4)\r
278	type = result;\r
279	count++;\r
280	result = strsep(&running, ",");\r
281	}\r
282	if (strcmp(key, argv[2]) != 0)\r
283	continue;\r
284	\r
285	if (!(name && enabled))\r
286	continue;\r
287	\r
288	if (strspn(name, LETTERS_NUMBERS) != strlen(name)) {\r
289	fprintf(stderr, "Bad connection name: %s\n", name);\r
290	goto EXIT;\r
291	}\r
292	\r
293	if (! (strcmp(type, "host") == 0 \|\| strcmp(type, "net") == 0)) {\r
294	fprintf(stderr, "Bad connection type: %s\n", type);\r
295	goto EXIT;\r
296	}\r
297	\r
298	if (strcmp(argv[1], "S") == 0 && strcmp(enabled, "on") == 0) {\r
299	safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");\r
300	memset(command, 0, STRING_SIZE);\r
301	snprintf(command, STRING_SIZE - 1, \r
302	"/usr/sbin/ipsec auto --replace %s >/dev/null", name);\r
303	safe_system(command);\r
304	if (strcmp(type, "net") == 0) {\r
305	memset(command, 0, STRING_SIZE);\r
306	snprintf(command, STRING_SIZE - 1, \r
307	"/usr/sbin/ipsec auto --asynchronous --up %s >/dev/null", name);\r
308	safe_system(command);\r
309	}\r
310	} else if (strcmp(argv[1], "D") == 0) {\r
311	safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");\r
312	memset(command, 0, STRING_SIZE);\r
313	snprintf(command, STRING_SIZE - 1, \r
314	"/usr/sbin/ipsec auto --down %s >/dev/null", name);\r
315	safe_system(command);\r
316	memset(command, 0, STRING_SIZE);\r
317	snprintf(command, STRING_SIZE - 1, \r
318	"/usr/sbin/ipsec auto --delete %s >/dev/null", name);\r
319	safe_system(command);\r
320	}\r
321	}\r
322	} else {\r
323	fprintf(stderr, "Bad arg\n");\r
324	usage();\r
325	exit(1);\r
326	}\r
327	\r
328	EXIT:\r
329	if (file)\r
330	fclose(file);\r
331	return 0;\r
332	}\r