-/*\r
- *\r
- * File originally from the Smoothwall project\r
- * (c) 2001 Smoothwall Team\r
- *\r
- * $Id: ipsecctrl.c,v 1.5.2.14 2005/05/15 12:58:28 rkerr Exp $\r
- *\r
- */\r
-\r
-#include "libsmooth.h"\r
-#include <stdio.h>\r
-#include <stdlib.h>\r
-#include <string.h>\r
-#include <unistd.h>\r
-#include <sys/types.h>\r
-#include <sys/stat.h>\r
-#include <signal.h>\r
-#include "setuid.h"\r
-\r
-void usage() {\r
- fprintf (stderr, "Usage:\n");\r
- fprintf (stderr, "\tipsecctrl S [connectionkey]\n");\r
- fprintf (stderr, "\tipsecctrl D [connectionkey]\n");\r
- fprintf (stderr, "\tipsecctrl R\n");\r
- fprintf (stderr, "\t\tS : Start/Restart Connection\n");\r
- fprintf (stderr, "\t\tD : Stop Connection\n");\r
- fprintf (stderr, "\t\tR : Reload Certificates and Secrets\n");\r
-}\r
-\r
-void loadalgmodules() {\r
- safe_system("/sbin/modprobe ipsec_3des");\r
- safe_system("/sbin/modprobe ipsec_aes");\r
- safe_system("/sbin/modprobe ipsec_blowfish");\r
- safe_system("/sbin/modprobe ipsec_md5");\r
- safe_system("/sbin/modprobe ipsec_serpent");\r
- safe_system("/sbin/modprobe ipsec_sha1");\r
- safe_system("/sbin/modprobe ipsec_sha2");\r
- safe_system("/sbin/modprobe ipsec_twofish");\r
-}\r
-\r
-void ipsecrules(char *chain, char *interface)\r
-{\r
- char str[STRING_SIZE];\r
-\r
- sprintf(str, "/sbin/iptables -A %s -p 47 -i %s -j ACCEPT", chain, interface);\r
- safe_system(str);\r
- sprintf(str, "/sbin/iptables -A %s -p 50 -i %s -j ACCEPT", chain, interface);\r
- safe_system(str);\r
- sprintf(str, "/sbin/iptables -A %s -p 51 -i %s -j ACCEPT", chain, interface);\r
- safe_system(str);\r
- sprintf(str, "/sbin/iptables -A %s -p udp -i %s --sport 500 --dport 500 -j ACCEPT", chain, interface);\r
- safe_system(str);\r
- sprintf(str, "/sbin/iptables -A %s -p udp -i %s --dport 4500 -j ACCEPT", chain, interface);\r
- safe_system(str);\r
-}\r
-\r
-void addaliasinterfaces(char *configtype, char *redtype, char *redif, char *enablered, char*enableblue)\r
-{\r
- FILE *file = NULL;\r
- char s[STRING_SIZE];\r
- char *sptr;\r
- char *aliasip=NULL;\r
- char *enabled=NULL;\r
- char *comment=NULL;\r
- int count=0;\r
- int alias=0;\r
- int add=0;\r
-\r
- if ( strcmp(enablered, "on") == 0 ) \r
- add += 1;\r
- if ( strcmp(enableblue, "on") == 0 )\r
- add += 1;\r
- \r
- /* Check for CONFIG_TYPE=2 or 3 i.e. RED ethernet present. If not,\r
- * exit gracefully. This is not an error... */\r
- if (!((strcmp(configtype, "2")==0) || (strcmp(configtype, "3")==0) || (strcmp(configtype, "6")==0) || (strcmp(configtype, "7")==0)))\r
- return;\r
-\r
- /* Now check the RED_TYPE - aliases only work with STATIC. */\r
- if (!(strcmp(redtype, "STATIC")==0))\r
- return;\r
-\r
- /* Now set up the new aliases from the config file */\r
- if (!(file = fopen(CONFIG_ROOT "/ethernet/aliases", "r")))\r
- {\r
- fprintf(stderr, "Unable to open aliases configuration file\n");\r
- return;\r
- }\r
-\r
- while (fgets(s, STRING_SIZE, file) != NULL && (add+alias) < 16)\r
- {\r
- if (s[strlen(s) - 1] == '\n')\r
- s[strlen(s) - 1] = '\0';\r
- sptr = strtok(s, ",");\r
- count = 0;\r
- aliasip = NULL;\r
- enabled = NULL;\r
- comment = NULL;\r
- while (sptr)\r
- {\r
- if (count == 0)\r
- aliasip = sptr;\r
- if (count == 1)\r
- enabled = sptr;\r
- else\r
- comment = sptr;\r
- count++;\r
- sptr = strtok(NULL, ",");\r
- }\r
-\r
- if (!(aliasip && enabled))\r
- continue;\r
-\r
- if (!VALID_IP(aliasip))\r
- {\r
- fprintf(stderr, "Bad alias : %s\n", aliasip);\r
- return;\r
- }\r
-\r
- if (strcmp(enabled, "on") == 0)\r
- {\r
- memset(s, 0, STRING_SIZE);\r
- snprintf(s, STRING_SIZE-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", alias+add, redif, alias);\r
- safe_system(s);\r
- alias++;\r
- }\r
- }\r
-}\r
-\r
-int main(int argc, char *argv[]) {\r
- int count;\r
- char s[STRING_SIZE];\r
- char configtype[STRING_SIZE];\r
- char redtype[STRING_SIZE] = "";\r
- char command[STRING_SIZE];\r
- char *result;\r
- char *key;\r
- char *enabled;\r
- char *name;\r
- char *type;\r
- char *running;\r
- FILE *file = NULL;\r
- struct keyvalue *kv = NULL;\r
- char enablered[STRING_SIZE] = "off";\r
- char enableblue[STRING_SIZE] = "off";\r
- char redif[STRING_SIZE] = "";;\r
- char blueif[STRING_SIZE] = "";\r
- FILE *ifacefile = NULL;\r
- \r
- if (!(initsetuid()))\r
- exit(1);\r
- \r
- if (argc < 2) {\r
- usage();\r
- exit(1);\r
- }\r
-\r
- /* FIXME: workaround for pclose() issue - still no real idea why\r
- * this is happening */\r
- signal(SIGCHLD, SIG_DFL);\r
-\r
- /* Init the keyvalue structure */\r
- kv=initkeyvalues();\r
-\r
- /* Read in the current values */\r
- if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings"))\r
- {\r
- fprintf(stderr, "Cannot read vpn settings\n");\r
- exit(1);\r
- }\r
-\r
- findkey(kv, "ENABLED", enablered);\r
- findkey(kv, "ENABLED_BLUE", enableblue);\r
-\r
- freekeyvalues(kv);\r
- kv=initkeyvalues();\r
-\r
- if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))\r
- {\r
- fprintf(stderr, "Cannot read ethernet settings\n");\r
- exit(1);\r
- }\r
-\r
- if (!findkey(kv, "CONFIG_TYPE", configtype))\r
- {\r
- fprintf(stderr, "Cannot read CONFIG_TYPE\n");\r
- exit(1);\r
- }\r
-\r
- findkey(kv, "RED_TYPE", redtype);\r
- findkey(kv, "BLUE_DEV", blueif);\r
- freekeyvalues(kv);\r
- memset(redif, 0, STRING_SIZE);\r
-\r
- if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))\r
- {\r
- if (fgets(redif, STRING_SIZE, ifacefile))\r
- {\r
- if (redif[strlen(redif) - 1] == '\n')\r
- redif[strlen(redif) - 1] = '\0';\r
- }\r
- fclose (ifacefile);\r
- ifacefile = NULL;\r
-\r
- if (!VALID_DEVICE(redif))\r
- {\r
- memset(redif, 0, STRING_SIZE);\r
- }\r
- }\r
-\r
- safe_system("/sbin/iptables -F IPSECRED");\r
- if (!strcmp(enablered, "on") && strlen(redif)) {\r
- ipsecrules("IPSECRED", redif);\r
- }\r
-\r
- safe_system("/sbin/iptables -F IPSECBLUE");\r
- if (!strcmp(enableblue, "on")) {\r
- if (VALID_DEVICE(blueif))\r
- ipsecrules("IPSECBLUE", blueif);\r
- else\r
- {\r
- fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n");\r
- exit(1);\r
- }\r
- }\r
-\r
- /* Only shutdown pluto if it really is running */\r
- if (argc == 2) {\r
- if (strcmp(argv[1], "D") == 0) {\r
- int fd;\r
- /* Get pluto pid */\r
- if ((fd = open("/var/run/pluto.pid", O_RDONLY)) != -1) {\r
- safe_system("/etc/rc.d/ipsec stop 2> /dev/null >/dev/null");\r
- close(fd);\r
- }\r
- }\r
- }\r
-\r
- if ((strcmp(enablered, "on") || !strlen(redif)) && strcmp(enableblue, "on"))\r
- exit(0);\r
-\r
- if (argc == 2) {\r
- if (strcmp(argv[1], "S") == 0) {\r
- loadalgmodules();\r
- safe_system("/usr/sbin/ipsec tncfg --clear >/dev/null");\r
- safe_system("/etc/rc.d/ipsec restart >/dev/null");\r
- addaliasinterfaces(configtype, redtype, redif, enablered, enableblue);\r
- } else if (strcmp(argv[1], "R") == 0) {\r
- safe_system("/usr/sbin/ipsec auto --rereadall");\r
- } else {\r
- fprintf(stderr, "Bad arg\n");\r
- usage();\r
- exit(1);\r
- }\r
- } else if (strspn(argv[2], NUMBERS) == strlen(argv[2])) {\r
- if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {\r
- fprintf(stderr, "Couldn't open vpn settings file");\r
- exit(1);\r
- }\r
- while (fgets(s, STRING_SIZE, file) != NULL) {\r
- if (s[strlen(s) - 1] == '\n')\r
- s[strlen(s) - 1] = '\0';\r
- running = strdup (s);\r
- result = strsep(&running, ",");\r
- count = 0;\r
- key = NULL;\r
- name = NULL;\r
- enabled = NULL;\r
- type = NULL;\r
- while (result) {\r
- if (count == 0)\r
- key = result;\r
- if (count == 1)\r
- enabled = result; \r
- if (count == 2)\r
- name = result;\r
- if (count == 4)\r
- type = result;\r
- count++;\r
- result = strsep(&running, ",");\r
- }\r
- if (strcmp(key, argv[2]) != 0)\r
- continue;\r
- \r
- if (!(name && enabled))\r
- continue;\r
- \r
- if (strspn(name, LETTERS_NUMBERS) != strlen(name)) {\r
- fprintf(stderr, "Bad connection name: %s\n", name);\r
- goto EXIT;\r
- }\r
-\r
- if (! (strcmp(type, "host") == 0 || strcmp(type, "net") == 0)) {\r
- fprintf(stderr, "Bad connection type: %s\n", type);\r
- goto EXIT;\r
- }\r
- \r
- if (strcmp(argv[1], "S") == 0 && strcmp(enabled, "on") == 0) {\r
- safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");\r
- memset(command, 0, STRING_SIZE);\r
- snprintf(command, STRING_SIZE - 1, \r
- "/usr/sbin/ipsec auto --replace %s >/dev/null", name);\r
- safe_system(command);\r
- if (strcmp(type, "net") == 0) {\r
- memset(command, 0, STRING_SIZE);\r
- snprintf(command, STRING_SIZE - 1, \r
- "/usr/sbin/ipsec auto --asynchronous --up %s >/dev/null", name);\r
- safe_system(command);\r
- }\r
- } else if (strcmp(argv[1], "D") == 0) {\r
- safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");\r
- memset(command, 0, STRING_SIZE);\r
- snprintf(command, STRING_SIZE - 1, \r
- "/usr/sbin/ipsec auto --down %s >/dev/null", name);\r
- safe_system(command);\r
- memset(command, 0, STRING_SIZE);\r
- snprintf(command, STRING_SIZE - 1, \r
- "/usr/sbin/ipsec auto --delete %s >/dev/null", name);\r
- safe_system(command);\r
- }\r
- }\r
- } else {\r
- fprintf(stderr, "Bad arg\n");\r
- usage();\r
- exit(1);\r
- }\r
-\r
-EXIT:\r
- if (file)\r
- fclose(file);\r
- return 0;\r
-}\r
+/*
+ *
+ * File originally from the Smoothwall project
+ * (c) 2001 Smoothwall Team
+ *
+ */
+
+#include "libsmooth.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <signal.h>
+#include "setuid.h"
+
+/*
+ This module is responsible for start stop of the vpn system.
+
+ 1) it allows AH & ESP to get in from interface where a vpn is mounted
+ The NAT traversal is used on the udp 4500 port.
+
+ 2) it starts the ipsec daemon
+ The RED interface is a problem because it can be up or down a startup.
+ Then, the state change and it must not affect other VPN mounted on
+ other interface.
+ Unfortunatly, openswan 1 cannot do that correctly. It cannot use an
+ interface without restarting everything.
+
+*/
+
+void usage() {
+ fprintf (stderr, "Usage:\n");
+ fprintf (stderr, "\tipsecctrl S [connectionkey]\n");
+ fprintf (stderr, "\tipsecctrl D [connectionkey]\n");
+ fprintf (stderr, "\tipsecctrl R\n");
+ fprintf (stderr, "\tipsecctrl I\n");
+ fprintf (stderr, "\t\tS : Start/Restart Connection\n");
+ fprintf (stderr, "\t\tD : Stop Connection\n");
+ fprintf (stderr, "\t\tR : Reload Certificates and Secrets\n");
+ fprintf (stderr, "\t\tI : Print Statusinfo\n");
+}
+
+/*
+ ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface
+*/
+void open_physical (char *interface, int nat_traversal_port) {
+ char str[STRING_SIZE];
+
+ // GRE ???
+// sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface);
+// safe_system(str);
+ // ESP
+// sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface);
+// safe_system(str);
+ // AH
+// sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface);
+// safe_system(str);
+ // IKE
+
+ sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
+ safe_system(str);
+ sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface);
+ safe_system(str);
+
+ if (! nat_traversal_port)
+ return;
+
+ sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
+ safe_system(str);
+ sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
+ safe_system(str);
+}
+
+void ipsec_norules() {
+ /* clear input rules */
+ safe_system("/sbin/iptables -F IPSECINPUT");
+ safe_system("/sbin/iptables -F IPSECFORWARD");
+ safe_system("/sbin/iptables -F IPSECOUTPUT");
+}
+
+/*
+ return values from the vpn config file or false if not 'on'
+*/
+int decode_line (char *s,
+ char **key,
+ char **name,
+ char **type
+ ) {
+ int count = 0;
+ *key = NULL;
+ *name = NULL;
+ *type = NULL;
+
+ if (s[strlen(s) - 1] == '\n')
+ s[strlen(s) - 1] = '\0';
+
+ char *result = strsep(&s, ",");
+ while (result) {
+ if (count == 0)
+ *key = result;
+ if ((count == 1) && strcmp(result, "on") != 0)
+ return 0; // a disabled line
+ if (count == 2)
+ *name = result;
+ if (count == 4)
+ *type = result;
+ count++;
+ result = strsep(&s, ",");
+ }
+
+ // check other syntax
+ if (! *name)
+ return 0;
+
+ if (strspn(*name, LETTERS_NUMBERS) != strlen(*name)) {
+ fprintf(stderr, "Bad connection name: %s\n", *name);
+ return 0;
+ }
+
+ if (! (strcmp(*type, "host") == 0 || strcmp(*type, "net") == 0)) {
+ fprintf(stderr, "Bad connection type: %s\n", *type);
+ return 0;
+ }
+
+ //it's a valid & active line
+ return 1;
+}
+
+/*
+ issue ipsec commmands to turn on connection 'name'
+*/
+void turn_connection_on(char *name, char *type) {
+ /*
+ * To bring up a connection, we need to reload the configuration
+ * and issue ipsec up afterwards. To make sure the connection
+ * is not established from the start, we bring it down in advance.
+ */
+ char command[STRING_SIZE];
+
+ // Bring down the connection (if established).
+ snprintf(command, STRING_SIZE - 1,
+ "/usr/sbin/ipsec down %s >/dev/null", name);
+ safe_system(command);
+
+ // Reload the configuration into the daemon (#10339).
+ ipsec_reload();
+
+ // Bring the connection up again.
+ snprintf(command, STRING_SIZE - 1,
+ "/usr/sbin/ipsec up %s >/dev/null", name);
+ safe_system(command);
+}
+
+/*
+ issue ipsec commmands to turn off connection 'name'
+*/
+void turn_connection_off (char *name) {
+ /*
+ * To turn off a connection, all SAs must be turned down.
+ * After that, the configuration must be reloaded.
+ */
+ char command[STRING_SIZE];
+
+ // Bring down the connection.
+ snprintf(command, STRING_SIZE - 1,
+ "/usr/sbin/ipsec down %s >/dev/null", name);
+ safe_system(command);
+
+ // Reload, so the connection is dropped.
+ ipsec_reload();
+}
+
+void ipsec_reload() {
+ /* Re-read all configuration files and secrets and
+ * reload the daemon (#10339).
+ */
+ safe_system("/usr/sbin/ipsec rereadall >/dev/null 2>&1");
+ safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
+}
+
+int main(int argc, char *argv[]) {
+ char configtype[STRING_SIZE];
+ char redtype[STRING_SIZE] = "";
+ struct keyvalue *kv = NULL;
+
+ if (argc < 2) {
+ usage();
+ exit(1);
+ }
+ if (!(initsetuid()))
+ exit(1);
+
+ FILE *file = NULL;
+
+
+ if (strcmp(argv[1], "I") == 0) {
+ safe_system("/usr/sbin/ipsec status");
+ exit(0);
+ }
+
+ if (strcmp(argv[1], "R") == 0) {
+ ipsec_reload();
+ exit(0);
+ }
+
+ /* FIXME: workaround for pclose() issue - still no real idea why
+ * this is happening */
+ signal(SIGCHLD, SIG_DFL);
+
+ /* handle operations that doesn't need start the ipsec system */
+ if (argc == 2) {
+ if (strcmp(argv[1], "D") == 0) {
+ safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1");
+ ipsec_norules();
+ exit(0);
+ }
+ }
+
+ /* read vpn config */
+ kv=initkeyvalues();
+ if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings"))
+ {
+ fprintf(stderr, "Cannot read vpn settings\n");
+ exit(1);
+ }
+
+ /* check is the vpn system is enabled */
+ {
+ char s[STRING_SIZE];
+ findkey(kv, "ENABLED", s);
+ freekeyvalues(kv);
+ if (strcmp (s, "on") != 0)
+ exit(0);
+ }
+
+ /* read interface settings */
+ kv=initkeyvalues();
+ if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
+ {
+ fprintf(stderr, "Cannot read ethernet settings\n");
+ exit(1);
+ }
+ if (!findkey(kv, "CONFIG_TYPE", configtype))
+ {
+ fprintf(stderr, "Cannot read CONFIG_TYPE\n");
+ exit(1);
+ }
+ findkey(kv, "RED_TYPE", redtype);
+
+
+ /* Loop through the config file to find physical interface that will accept IPSEC */
+ int enable_red=0; // states 0: not used
+ int enable_green=0; // 1: error condition
+ int enable_orange=0; // 2: good
+ int enable_blue=0;
+ char if_red[STRING_SIZE] = "";
+ char if_green[STRING_SIZE] = "";
+ char if_orange[STRING_SIZE] = "";
+ char if_blue[STRING_SIZE] = "";
+ char s[STRING_SIZE];
+
+ // when RED is up, find interface name in special file
+ FILE *ifacefile = NULL;
+ if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {
+ if (fgets(if_red, STRING_SIZE, ifacefile)) {
+ if (if_red[strlen(if_red) - 1] == '\n')
+ if_red[strlen(if_red) - 1] = '\0';
+ }
+ fclose (ifacefile);
+
+ if (VALID_DEVICE(if_red))
+ enable_red++;
+ }
+
+ // Check if GREEN is enabled.
+ findkey(kv, "GREEN_DEV", if_green);
+ if (VALID_DEVICE(if_green))
+ enable_green++;
+
+ // Check if ORANGE is enabled.
+ findkey(kv, "ORANGE_DEV", if_orange);
+ if (VALID_DEVICE(if_orange))
+ enable_orange++;
+
+ // Check if BLUE is enabled.
+ findkey(kv, "BLUE_DEV", if_blue);
+ if (VALID_DEVICE(if_blue))
+ enable_blue++;
+
+ freekeyvalues(kv);
+
+ // exit if nothing to do
+ if ((enable_red+enable_green+enable_orange+enable_blue) == 0)
+ exit(0);
+
+ // open needed ports
+ if (enable_red > 0)
+ open_physical(if_red, 4500);
+
+ if (enable_green > 0)
+ open_physical(if_green, 4500);
+
+ if (enable_orange > 0)
+ open_physical(if_orange, 4500);
+
+ if (enable_blue > 0)
+ open_physical(if_blue, 4500);
+
+ // start the system
+ if ((argc == 2) && strcmp(argv[1], "S") == 0) {
+ safe_system("/usr/sbin/ipsec restart >/dev/null");
+ exit(0);
+ }
+
+ // it is a selective start or stop
+ // second param is only a number 'key'
+ if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) {
+ fprintf(stderr, "Bad arg: %s\n", argv[2]);
+ usage();
+ exit(1);
+ }
+
+ // search the vpn pointed by 'key'
+ if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {
+ fprintf(stderr, "Couldn't open vpn settings file");
+ exit(1);
+ }
+ while (fgets(s, STRING_SIZE, file) != NULL) {
+ char *key;
+ char *name;
+ char *type;
+ if (!decode_line(s,&key,&name,&type))
+ continue;
+
+ // is it the 'key' requested ?
+ if (strcmp(argv[2], key) != 0)
+ continue;
+
+ // Start or Delete this Connection
+ if (strcmp(argv[1], "S") == 0)
+ turn_connection_on (name, type);
+ else if (strcmp(argv[1], "D") == 0)
+ turn_connection_off (name);
+ else {
+ fprintf(stderr, "Bad command\n");
+ exit(1);
+ }
+ }
+ fclose(file);
+
+ return 0;
+}
projects / people / teissler / ipfire-2.x.git / blobdiff