]>
git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - src/misc-progs/ipsecctrl.c
3 * File originally from the Smoothwall project
4 * (c) 2001 Smoothwall Team
6 * $Id: ipsecctrl.c,v 1.5.2.14 2005/05/15 12:58:28 rkerr Exp $
10 #include "libsmooth.h"
15 #include <sys/types.h>
21 fprintf (stderr
, "Usage:\n");
22 fprintf (stderr
, "\tipsecctrl S [connectionkey]\n");
23 fprintf (stderr
, "\tipsecctrl D [connectionkey]\n");
24 fprintf (stderr
, "\tipsecctrl R\n");
25 fprintf (stderr
, "\t\tS : Start/Restart Connection\n");
26 fprintf (stderr
, "\t\tD : Stop Connection\n");
27 fprintf (stderr
, "\t\tR : Reload Certificates and Secrets\n");
30 void loadalgmodules() {
31 safe_system("/sbin/modprobe ipsec");
34 void ipsecrules(char *chain
, char *interface
)
36 char str
[STRING_SIZE
];
38 sprintf(str
, "/sbin/iptables -A %s -p 47 -i %s -j ACCEPT", chain
, interface
);
40 sprintf(str
, "/sbin/iptables -A %s -p 50 -i %s -j ACCEPT", chain
, interface
);
42 sprintf(str
, "/sbin/iptables -A %s -p 51 -i %s -j ACCEPT", chain
, interface
);
44 sprintf(str
, "/sbin/iptables -A %s -p udp -i %s --sport 500 --dport 500 -j ACCEPT", chain
, interface
);
46 sprintf(str
, "/sbin/iptables -A %s -p udp -i %s --dport 4500 -j ACCEPT", chain
, interface
);
50 void addaliasinterfaces(char *configtype
, char *redtype
, char *redif
, char *enablered
, char*enableblue
)
62 if ( strcmp(enablered
, "on") == 0 )
64 if ( strcmp(enableblue
, "on") == 0 )
67 /* Check for CONFIG_TYPE=2 or 3 i.e. RED ethernet present. If not,
68 * exit gracefully. This is not an error... */
69 if (!((strcmp(configtype
, "2")==0) || (strcmp(configtype
, "3")==0) || (strcmp(configtype
, "6")==0) || (strcmp(configtype
, "7")==0)))
72 /* Now check the RED_TYPE - aliases only work with STATIC. */
73 if (!(strcmp(redtype
, "STATIC")==0))
76 /* Now set up the new aliases from the config file */
77 if (!(file
= fopen(CONFIG_ROOT
"/ethernet/aliases", "r")))
79 fprintf(stderr
, "Unable to open aliases configuration file\n");
83 while (fgets(s
, STRING_SIZE
, file
) != NULL
&& (add
+alias
) < 16)
85 if (s
[strlen(s
) - 1] == '\n')
86 s
[strlen(s
) - 1] = '\0';
87 sptr
= strtok(s
, ",");
101 sptr
= strtok(NULL
, ",");
104 if (!(aliasip
&& enabled
))
107 if (!VALID_IP(aliasip
))
109 fprintf(stderr
, "Bad alias : %s\n", aliasip
);
113 if (strcmp(enabled
, "on") == 0)
115 memset(s
, 0, STRING_SIZE
);
116 snprintf(s
, STRING_SIZE
-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", alias
+add
, redif
, alias
);
123 int main(int argc
, char *argv
[]) {
126 char configtype
[STRING_SIZE
];
127 char redtype
[STRING_SIZE
] = "";
128 char command
[STRING_SIZE
];
136 struct keyvalue
*kv
= NULL
;
137 char enablered
[STRING_SIZE
] = "off";
138 char enableblue
[STRING_SIZE
] = "off";
139 char redif
[STRING_SIZE
] = "";;
140 char blueif
[STRING_SIZE
] = "";
141 FILE *ifacefile
= NULL
;
151 /* FIXME: workaround for pclose() issue - still no real idea why
152 * this is happening */
153 signal(SIGCHLD
, SIG_DFL
);
155 /* Init the keyvalue structure */
158 /* Read in the current values */
159 if (!readkeyvalues(kv
, CONFIG_ROOT
"/vpn/settings"))
161 fprintf(stderr
, "Cannot read vpn settings\n");
165 findkey(kv
, "ENABLED", enablered
);
166 findkey(kv
, "ENABLED_BLUE", enableblue
);
171 if (!readkeyvalues(kv
, CONFIG_ROOT
"/ethernet/settings"))
173 fprintf(stderr
, "Cannot read ethernet settings\n");
177 if (!findkey(kv
, "CONFIG_TYPE", configtype
))
179 fprintf(stderr
, "Cannot read CONFIG_TYPE\n");
183 findkey(kv
, "RED_TYPE", redtype
);
184 findkey(kv
, "BLUE_DEV", blueif
);
186 memset(redif
, 0, STRING_SIZE
);
188 if ((ifacefile
= fopen(CONFIG_ROOT
"/red/iface", "r")))
190 if (fgets(redif
, STRING_SIZE
, ifacefile
))
192 if (redif
[strlen(redif
) - 1] == '\n')
193 redif
[strlen(redif
) - 1] = '\0';
198 if (!VALID_DEVICE(redif
))
200 memset(redif
, 0, STRING_SIZE
);
204 safe_system("/sbin/iptables -F IPSECRED");
205 if (!strcmp(enablered
, "on") && strlen(redif
)) {
206 ipsecrules("IPSECRED", redif
);
209 safe_system("/sbin/iptables -F IPSECBLUE");
210 if (!strcmp(enableblue
, "on")) {
211 if (VALID_DEVICE(blueif
))
212 ipsecrules("IPSECBLUE", blueif
);
215 fprintf(stderr
, "IPSec enabled on blue but blue interface is invalid or not found\n");
220 /* Only shutdown pluto if it really is running */
222 if (strcmp(argv
[1], "D") == 0) {
225 if ((fd
= open("/var/run/pluto.pid", O_RDONLY
)) != -1) {
226 safe_system("/etc/rc.d/init.d/ipsec stop 2> /dev/null >/dev/null");
232 if ((strcmp(enablered
, "on") || !strlen(redif
)) && strcmp(enableblue
, "on"))
236 if (strcmp(argv
[1], "S") == 0) {
238 safe_system("/usr/sbin/ipsec tncfg --clear >/dev/null");
239 safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
240 addaliasinterfaces(configtype
, redtype
, redif
, enablered
, enableblue
);
241 } else if (strcmp(argv
[1], "R") == 0) {
242 safe_system("/usr/sbin/ipsec auto --rereadall");
244 fprintf(stderr
, "Bad arg\n");
248 } else if (strspn(argv
[2], NUMBERS
) == strlen(argv
[2])) {
249 if (!(file
= fopen(CONFIG_ROOT
"/vpn/config", "r"))) {
250 fprintf(stderr
, "Couldn't open vpn settings file");
253 while (fgets(s
, STRING_SIZE
, file
) != NULL
) {
254 if (s
[strlen(s
) - 1] == '\n')
255 s
[strlen(s
) - 1] = '\0';
256 running
= strdup (s
);
257 result
= strsep(&running
, ",");
273 result
= strsep(&running
, ",");
275 if (strcmp(key
, argv
[2]) != 0)
278 if (!(name
&& enabled
))
281 if (strspn(name
, LETTERS_NUMBERS
) != strlen(name
)) {
282 fprintf(stderr
, "Bad connection name: %s\n", name
);
286 if (! (strcmp(type
, "host") == 0 || strcmp(type
, "net") == 0)) {
287 fprintf(stderr
, "Bad connection type: %s\n", type
);
291 if (strcmp(argv
[1], "S") == 0 && strcmp(enabled
, "on") == 0) {
292 safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");
293 memset(command
, 0, STRING_SIZE
);
294 snprintf(command
, STRING_SIZE
- 1,
295 "/usr/sbin/ipsec auto --replace %s >/dev/null", name
);
296 safe_system(command
);
297 if (strcmp(type
, "net") == 0) {
298 memset(command
, 0, STRING_SIZE
);
299 snprintf(command
, STRING_SIZE
- 1,
300 "/usr/sbin/ipsec auto --asynchronous --up %s >/dev/null", name
);
301 safe_system(command
);
303 } else if (strcmp(argv
[1], "D") == 0) {
304 safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");
305 memset(command
, 0, STRING_SIZE
);
306 snprintf(command
, STRING_SIZE
- 1,
307 "/usr/sbin/ipsec auto --down %s >/dev/null", name
);
308 safe_system(command
);
309 memset(command
, 0, STRING_SIZE
);
310 snprintf(command
, STRING_SIZE
- 1,
311 "/usr/sbin/ipsec auto --delete %s >/dev/null", name
);
312 safe_system(command
);
316 fprintf(stderr
, "Bad arg\n");