]>
git.ipfire.org Git - thirdparty/strongswan.git/blob - programs/_updown_espmark/_updown_espmark.in
2 # iproute2 version, default updown script
4 # Copyright (C) 2003-2004 Nigel Meteringham
5 # Copyright (C) 2003-2004 Tuomo Soini
6 # Copyright (C) 2002-2004 Michael Richardson
7 # Copyright (C) 2005 Andreas Steffen <andreas.steffen@strongsec.com>
9 # This program is free software; you can redistribute it and/or modify it
10 # under the terms of the GNU General Public License as published by the
11 # Free Software Foundation; either version 2 of the License, or (at your
12 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 # This program is distributed in the hope that it will be useful, but
15 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 # RCSID $Id: _updown_espmark.in,v 1.4 2005/09/14 14:33:05 as Exp $
23 # CAUTION: Installing a new version of strongSwan will install a new
24 # copy of this script, wiping out any custom changes you make. If
25 # you need changes, make a copy of this under another name, and customize
26 # that, and use the (left/right)updown parameters in ipsec.conf to make
27 # FreeS/WAN use yours instead of this default one.
29 # things that this script gets (from ipsec_pluto(8) man page)
33 # indicates what version of this interface is being
34 # used. This document describes version 1.1. This
35 # is upwardly compatible with version 1.0.
38 # specifies the name of the operation to be performed
39 # (prepare-host, prepare-client, up-host, up-client,
40 # down-host, or down-client). If the address family
41 # for security gateway to security gateway communica
42 # tions is IPv6, then a suffix of -v6 is added to the
46 # is the name of the connection for which we are
50 # is the next hop to which packets bound for the peer
54 # is the name of the ipsec interface to be used.
57 # is the IP address of our host.
60 # is the ID of our host.
63 # is the IP address / count of our client subnet. If
64 # the client is just the host, this will be the
65 # host's own IP address / max (where max is 32 for
66 # IPv4 and 128 for IPv6).
69 # is the IP address of our client net. If the client
70 # is just the host, this will be the host's own IP
73 # PLUTO_MY_CLIENT_MASK
74 # is the mask for our client net. If the client is
75 # just the host, this will be 255.255.255.255.
78 # if non-empty, then the source address for the route will be
79 # set to this IP address.
82 # is the IP protocol that will be transported.
85 # is the UDP/TCP port to which the IPsec SA is
86 # restricted on our side.
89 # is the IP address of our peer.
92 # is the ID of our peer.
95 # is the CA which issued the cert of our peer.
98 # is the IP address / count of the peer's client sub
99 # net. If the client is just the peer, this will be
100 # the peer's own IP address / max (where max is 32
101 # for IPv4 and 128 for IPv6).
103 # PLUTO_PEER_CLIENT_NET
104 # is the IP address of the peer's client net. If the
105 # client is just the peer, this will be the peer's
108 # PLUTO_PEER_CLIENT_MASK
109 # is the mask for the peer's client net. If the
110 # client is just the peer, this will be
113 # PLUTO_PEER_PROTOCOL
114 # is the IP protocol that will be transported.
117 # is the UDP/TCP port to which the IPsec SA is
118 # restricted on the peer side.
121 # logging of VPN connections
123 # tag put in front of each log entry:
126 # syslog facility and priority used:
127 FAC_PRIO
=local0.notice
129 # to create a special vpn logging file, put the following line into
130 # the syslog configuration file /etc/syslog.conf:
132 # local0.notice -/var/log/vpn
135 # check interface version
136 case "$PLUTO_VERSION" in
137 1.
[0]) # Older Pluto?!? Play it safe, script may be using new features.
138 echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
139 echo "$0: called by obsolete Pluto?" >&2
143 *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
152 ipfwadm
:ipfwadm
) # due to (left/right)firewall; for default script only
154 custom
:*) # custom parameters (see above CAUTION comment)
156 *) echo "$0: unknown parameters \`$*'" >&2
161 # utility functions for route manipulation
162 # Meddling with this stuff should not be necessary and requires great care.
174 if ! ip
-o route get
${PLUTO_MY_SOURCEIP%/*} |
grep -q ^
local
176 it
="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
177 oops
="`eval $it 2>&1`"
179 if test " $oops" = " " -a " $st" != " 0"
181 oops
="silent error, exit status $st"
183 if test " $oops" != " " -o " $st" != " 0"
185 echo "$0: addsource \`$it' failed ($oops)" >&2
193 parms
="$PLUTO_PEER_CLIENT"
196 if [ -n "$PLUTO_NEXT_HOP" ]
198 parms2
="via $PLUTO_NEXT_HOP"
200 parms2
="$parms2 dev $PLUTO_INTERFACE"
202 if [ -z "$PLUTO_MY_SOURCEIP" ]
204 if [ -f /etc
/sysconfig
/defaultsource
]
206 .
/etc
/sysconfig
/defaultsource
209 if [ -f /etc
/conf.d
/defaultsource
]
211 .
/etc
/conf.d
/defaultsource
214 if [ -n "$DEFAULTSOURCE" ]
216 PLUTO_MY_SOURCEIP
=$DEFAULTSOURCE
221 if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
224 parms3
="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
227 case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
229 # opportunistic encryption work around
230 # need to provide route that eclipses default, without
232 it
="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
233 ip route $1 128.0.0.0/1 $parms2 $parms3"
235 *) it
="ip route $1 $parms $parms2 $parms3"
238 oops
="`eval $it 2>&1`"
240 if test " $oops" = " " -a " $st" != " 0"
242 oops
="silent error, exit status $st"
244 if test " $oops" != " " -o " $st" != " 0"
246 echo "$0: doroute \`$it' failed ($oops)" >&2
254 # add the following static rule to the INPUT chain in the mangle table
255 # iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
257 # NAT traversal via UDP encapsulation is supported with the rule
258 # iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
260 # in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
261 if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
265 CHECK_MARK
="-m mark --mark $ESP_MARK"
268 # are there port numbers?
269 if [ "$PLUTO_MY_PORT" != 0 ]
271 S_MY_PORT
="--sport $PLUTO_MY_PORT"
272 D_MY_PORT
="--dport $PLUTO_MY_PORT"
274 if [ "$PLUTO_PEER_PORT" != 0 ]
276 S_PEER_PORT
="--sport $PLUTO_PEER_PORT"
277 D_PEER_PORT
="--dport $PLUTO_PEER_PORT"
281 case "$PLUTO_VERB:$1" in
282 prepare-host
:*|prepare-client
:*)
283 # delete possibly-existing route (preliminary to adding a route)
284 case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
286 # need to provide route that eclipses default, without
290 it
="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
291 oops
="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
294 parms
="$PLUTO_PEER_CLIENT"
295 it
="ip route delete $parms 2>&1"
296 oops
="`ip route delete $parms 2>&1`"
300 if test " $oops" = " " -a " $status" != " 0"
302 oops
="silent error, exit status $status"
305 *'RTNETLINK answers: No such process'*)
306 # This is what route (currently -- not documented!) gives
307 # for "could not find such a route".
312 if test " $oops" != " " -o " $status" != " 0"
314 echo "$0: \`$it' failed ($oops)" >&2
318 route-host
:*|route-client
:*)
319 # connection to me or my client subnet being routed
322 unroute-host
:*|unroute-client
:*)
323 # connection to me or my client subnet being unrouted
327 # connection to me coming up
328 # If you are doing a custom version, firewall commands go here.
329 iptables
-I INPUT
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
330 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
331 -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
332 iptables
-I OUTPUT
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
333 -s $PLUTO_ME $S_MY_PORT \
334 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
336 if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
338 logger
-t $TAG -p $FAC_PRIO \
339 "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
341 logger
-t $TAG -p $FAC_PRIO \
342 "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
346 # connection to me going down
347 # If you are doing a custom version, firewall commands go here.
348 # connection to me going down
349 # If you are doing a custom version, firewall commands go here.
350 iptables
-D INPUT
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
351 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
352 -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
353 iptables
-D OUTPUT
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
354 -s $PLUTO_ME $S_MY_PORT \
355 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
357 if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
359 logger
-t $TAG -p $FAC_PRIO -- \
360 "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
362 logger
-t $TAG -p $FAC_PRIO -- \
363 "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
367 # connection to my client subnet coming up
368 # If you are doing a custom version, firewall commands go here.
369 iptables
-I FORWARD
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
370 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
371 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
372 iptables
-I FORWARD
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
373 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
374 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
375 $CHECK_MARK -j ACCEPT
377 if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
379 logger
-t $TAG -p $FAC_PRIO \
380 "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
382 logger
-t $TAG -p $FAC_PRIO \
383 "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
387 # connection to my client subnet going down
388 # If you are doing a custom version, firewall commands go here.
389 iptables
-D FORWARD
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
390 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
391 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
392 iptables
-D FORWARD
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
393 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
394 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
395 $CHECK_MARK -j ACCEPT
397 if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
399 logger
-t $TAG -p $FAC_PRIO -- \
400 "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
402 logger
-t $TAG -p $FAC_PRIO -- \
403 "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
407 # connection to client subnet, with (left/right)firewall=yes, coming up
408 # This is used only by the default updown script, not by your custom
409 # ones, so do not mess with it; see CAUTION comment up at top.
410 ipfwadm
-F -i accept
-b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
411 -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
414 # connection to client subnet, with (left/right)firewall=yes, going down
415 # This is used only by the default updown script, not by your custom
416 # ones, so do not mess with it; see CAUTION comment up at top.
417 ipfwadm
-F -d accept
-b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
418 -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
423 prepare-host-v6
:*|prepare-client-v6
:*)
425 route-host-v6
:*|route-client-v6
:*)
426 # connection to me or my client subnet being routed
429 unroute-host-v6
:*|unroute-client-v6
:*)
430 # connection to me or my client subnet being unrouted
434 # connection to me coming up
435 # If you are doing a custom version, firewall commands go here.
438 # connection to me going down
439 # If you are doing a custom version, firewall commands go here.
442 # connection to my client subnet coming up
443 # If you are doing a custom version, firewall commands go here.
446 # connection to my client subnet going down
447 # If you are doing a custom version, firewall commands go here.
449 *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2