570fdebab4583e3c10f6d8f2a56df42d3cfbed57
[people/teissler/ipfire-2.x.git] / src / misc-progs / ipsecctrl.c
1 /*
2 *
3 * File originally from the Smoothwall project
4 * (c) 2001 Smoothwall Team
5 *
6 */
7
8 #include "libsmooth.h"
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <unistd.h>
13 #include <sys/types.h>
14 #include <sys/stat.h>
15 #include <signal.h>
16
17 #include "setuid.h"
18 #include "netutil.h"
19
20 /*
21 This module is responsible for start stop of the vpn system.
22
23 1) it allows AH & ESP to get in from interface where a vpn is mounted
24 The NAT traversal is used on the udp 4500 port.
25
26 2) it starts the ipsec daemon
27 The RED interface is a problem because it can be up or down a startup.
28 Then, the state change and it must not affect other VPN mounted on
29 other interface.
30 Unfortunatly, openswan 1 cannot do that correctly. It cannot use an
31 interface without restarting everything.
32
33 */
34
35 void usage() {
36 fprintf (stderr, "Usage:\n");
37 fprintf (stderr, "\tipsecctrl S [connectionkey]\n");
38 fprintf (stderr, "\tipsecctrl D [connectionkey]\n");
39 fprintf (stderr, "\tipsecctrl R\n");
40 fprintf (stderr, "\tipsecctrl I\n");
41 fprintf (stderr, "\t\tS : Start/Restart Connection\n");
42 fprintf (stderr, "\t\tD : Stop Connection\n");
43 fprintf (stderr, "\t\tR : Reload Certificates and Secrets\n");
44 fprintf (stderr, "\t\tI : Print Statusinfo\n");
45 }
46
47 /*
48 ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface
49 */
50 void open_physical (char *interface, int nat_traversal_port) {
51 char str[STRING_SIZE];
52
53 // GRE ???
54 // sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface);
55 // safe_system(str);
56 // ESP
57 // sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface);
58 // safe_system(str);
59 // AH
60 // sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface);
61 // safe_system(str);
62 // IKE
63
64 sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
65 safe_system(str);
66 sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface);
67 safe_system(str);
68
69 if (! nat_traversal_port)
70 return;
71
72 sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
73 safe_system(str);
74 sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
75 safe_system(str);
76 }
77
78 void ipsec_norules() {
79 /* clear input rules */
80 safe_system("/sbin/iptables -F IPSECINPUT");
81 safe_system("/sbin/iptables -F IPSECFORWARD");
82 safe_system("/sbin/iptables -F IPSECOUTPUT");
83 }
84
85 /*
86 return values from the vpn config file or false if not 'on'
87 */
88 int decode_line (char *s,
89 char **key,
90 char **name,
91 char **type
92 ) {
93 int count = 0;
94 *key = NULL;
95 *name = NULL;
96 *type = NULL;
97
98 if (s[strlen(s) - 1] == '\n')
99 s[strlen(s) - 1] = '\0';
100
101 char *result = strsep(&s, ",");
102 while (result) {
103 if (count == 0)
104 *key = result;
105 if ((count == 1) && strcmp(result, "on") != 0)
106 return 0; // a disabled line
107 if (count == 2)
108 *name = result;
109 if (count == 4)
110 *type = result;
111 count++;
112 result = strsep(&s, ",");
113 }
114
115 // check other syntax
116 if (! *name)
117 return 0;
118
119 if (strspn(*name, LETTERS_NUMBERS) != strlen(*name)) {
120 fprintf(stderr, "Bad connection name: %s\n", *name);
121 return 0;
122 }
123
124 if (! (strcmp(*type, "host") == 0 || strcmp(*type, "net") == 0)) {
125 fprintf(stderr, "Bad connection type: %s\n", *type);
126 return 0;
127 }
128
129 //it's a valid & active line
130 return 1;
131 }
132
133 /*
134 issue ipsec commmands to turn on connection 'name'
135 */
136 void turn_connection_on(char *name, char *type) {
137 /*
138 * To bring up a connection, we need to reload the configuration
139 * and issue ipsec up afterwards. To make sure the connection
140 * is not established from the start, we bring it down in advance.
141 */
142 char command[STRING_SIZE];
143
144 // Bring down the connection (if established).
145 snprintf(command, STRING_SIZE - 1,
146 "/usr/sbin/ipsec down %s >/dev/null", name);
147 safe_system(command);
148
149 // Reload the configuration into the daemon (#10339).
150 ipsec_reload();
151
152 // Bring the connection up again.
153 snprintf(command, STRING_SIZE - 1,
154 "/usr/sbin/ipsec up %s >/dev/null", name);
155 safe_system(command);
156 }
157
158 /*
159 issue ipsec commmands to turn off connection 'name'
160 */
161 void turn_connection_off (char *name) {
162 /*
163 * To turn off a connection, all SAs must be turned down.
164 * After that, the configuration must be reloaded.
165 */
166 char command[STRING_SIZE];
167
168 // Bring down the connection.
169 snprintf(command, STRING_SIZE - 1,
170 "/usr/sbin/ipsec down %s >/dev/null", name);
171 safe_system(command);
172
173 // Reload, so the connection is dropped.
174 ipsec_reload();
175 }
176
177 void ipsec_reload() {
178 /* Re-read all configuration files and secrets and
179 * reload the daemon (#10339).
180 */
181 safe_system("/usr/sbin/ipsec rereadall >/dev/null 2>&1");
182 safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
183 }
184
185 int main(int argc, char *argv[]) {
186 char configtype[STRING_SIZE];
187 char redtype[STRING_SIZE] = "";
188 struct keyvalue *kv = NULL;
189
190 if (argc < 2) {
191 usage();
192 exit(1);
193 }
194 if (!(initsetuid()))
195 exit(1);
196
197 FILE *file = NULL;
198
199
200 if (strcmp(argv[1], "I") == 0) {
201 safe_system("/usr/sbin/ipsec status");
202 exit(0);
203 }
204
205 if (strcmp(argv[1], "R") == 0) {
206 ipsec_reload();
207 exit(0);
208 }
209
210 /* FIXME: workaround for pclose() issue - still no real idea why
211 * this is happening */
212 signal(SIGCHLD, SIG_DFL);
213
214 /* handle operations that doesn't need start the ipsec system */
215 if (argc == 2) {
216 if (strcmp(argv[1], "D") == 0) {
217 safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1");
218 ipsec_norules();
219 exit(0);
220 }
221 }
222
223 /* read vpn config */
224 kv=initkeyvalues();
225 if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings"))
226 {
227 fprintf(stderr, "Cannot read vpn settings\n");
228 exit(1);
229 }
230
231 /* check is the vpn system is enabled */
232 {
233 char s[STRING_SIZE];
234 findkey(kv, "ENABLED", s);
235 freekeyvalues(kv);
236 if (strcmp (s, "on") != 0)
237 exit(0);
238 }
239
240 /* read interface settings */
241 kv=initkeyvalues();
242 if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
243 {
244 fprintf(stderr, "Cannot read ethernet settings\n");
245 exit(1);
246 }
247 if (!findkey(kv, "CONFIG_TYPE", configtype))
248 {
249 fprintf(stderr, "Cannot read CONFIG_TYPE\n");
250 exit(1);
251 }
252 findkey(kv, "RED_TYPE", redtype);
253
254
255 /* Loop through the config file to find physical interface that will accept IPSEC */
256 int enable_red=0; // states 0: not used
257 int enable_green=0; // 1: error condition
258 int enable_orange=0; // 2: good
259 int enable_blue=0;
260 char if_red[STRING_SIZE] = "";
261 char if_green[STRING_SIZE] = "";
262 char if_orange[STRING_SIZE] = "";
263 char if_blue[STRING_SIZE] = "";
264 char s[STRING_SIZE];
265
266 // when RED is up, find interface name in special file
267 FILE *ifacefile = NULL;
268 if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {
269 if (fgets(if_red, STRING_SIZE, ifacefile)) {
270 if (if_red[strlen(if_red) - 1] == '\n')
271 if_red[strlen(if_red) - 1] = '\0';
272 }
273 fclose (ifacefile);
274
275 if (VALID_DEVICE(if_red))
276 enable_red++;
277 }
278
279 // Check if GREEN is enabled.
280 findkey(kv, "GREEN_DEV", if_green);
281 if (VALID_DEVICE(if_green))
282 enable_green++;
283
284 // Check if ORANGE is enabled.
285 findkey(kv, "ORANGE_DEV", if_orange);
286 if (VALID_DEVICE(if_orange))
287 enable_orange++;
288
289 // Check if BLUE is enabled.
290 findkey(kv, "BLUE_DEV", if_blue);
291 if (VALID_DEVICE(if_blue))
292 enable_blue++;
293
294 freekeyvalues(kv);
295
296 // exit if nothing to do
297 if ((enable_red+enable_green+enable_orange+enable_blue) == 0)
298 exit(0);
299
300 // open needed ports
301 if (enable_red > 0)
302 open_physical(if_red, 4500);
303
304 if (enable_green > 0)
305 open_physical(if_green, 4500);
306
307 if (enable_orange > 0)
308 open_physical(if_orange, 4500);
309
310 if (enable_blue > 0)
311 open_physical(if_blue, 4500);
312
313 // start the system
314 if ((argc == 2) && strcmp(argv[1], "S") == 0) {
315 safe_system("/usr/sbin/ipsec restart >/dev/null");
316 exit(0);
317 }
318
319 // it is a selective start or stop
320 // second param is only a number 'key'
321 if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) {
322 fprintf(stderr, "Bad arg: %s\n", argv[2]);
323 usage();
324 exit(1);
325 }
326
327 // search the vpn pointed by 'key'
328 if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {
329 fprintf(stderr, "Couldn't open vpn settings file");
330 exit(1);
331 }
332 while (fgets(s, STRING_SIZE, file) != NULL) {
333 char *key;
334 char *name;
335 char *type;
336 if (!decode_line(s,&key,&name,&type))
337 continue;
338
339 // is it the 'key' requested ?
340 if (strcmp(argv[2], key) != 0)
341 continue;
342
343 // Start or Delete this Connection
344 if (strcmp(argv[1], "S") == 0)
345 turn_connection_on (name, type);
346 else if (strcmp(argv[1], "D") == 0)
347 turn_connection_off (name);
348 else {
349 fprintf(stderr, "Bad command\n");
350 exit(1);
351 }
352 }
353 fclose(file);
354
355 return 0;
356 }