File Manager

X7ROOT File Manager

Current Path: /usr/libexec/ipsec

📁 ..
📄 _import_crl(154.26 KB)
📄 _keycensor(1.38 KB)
📄 _plutorun(2.98 KB)
📄 _secretcensor(1.86 KB)
📄 _stackmanager(14 KB)
📄 _unbound-hook(1.97 KB)
📄 _updown(4.23 KB)
📄 _updown.klips(18.3 KB)
📄 _updown.netkey(23.31 KB)
📄 addconn(210.56 KB)
📄 algparse(345.43 KB)
📄 auto(5.74 KB)
📄 barf(11.82 KB)
📄 cavp(346.02 KB)
📄 enumcheck(85.1 KB)
📄 eroute(93.81 KB)
📄 klipsdebug(69.61 KB)
📄 look(4.2 KB)
📄 newhostkey(3.23 KB)
📄 pf_key(69.18 KB)
📄 pluto(1.37 MB)
📄 readwriteconf(182.2 KB)
📄 rsasigkey(159.04 KB)
📄 setup(5.58 KB)
📄 show(3.46 KB)
📄 showhostkey(159.3 KB)
📄 spi(346.27 KB)
📄 spigrp(85.76 KB)
📄 tncfg(130.14 KB)
📄 verify(12.04 KB)
📄 whack(137.93 KB)

Editing: _updown.netkey

#! /bin/sh
#
# default updown script for use with NETKEY(XFRM)
#
# Copyright (C) 2003-2004 Nigel Metheringham
# Copyright (C) 2002-2007 Michael Richardson <mcr@xelerance.com>
# Copyright (C) 2007-2008 Paul Wouters <paul@xelerance.com>
# Copyright (C) 2003-2018 Tuomo Soini <tis@foobar.fi>
# Copyright (C) 2011-2016 Paul Wouters <pwouters@redhat.com>
# Copyright (C) 2016 Antony Antony <antony@phenome.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.

# CAUTION:  Installing a new version of Libreswan will install a new
# copy of this script, wiping out any custom changes you make.  If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown= parameters in ipsec.conf to make
# Libreswan use your modified updown script instead of this default one.

test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x

LC_ALL=C
export LC_ALL

# Things that this script gets (from ipsec_pluto(8) man page)
#
#
#	PLUTO_VERSION
#		indicates  what  version of this interface is being
#		used.  This document describes version  1.1.   This
#		is upwardly compatible with version 1.0.
#
#	PLUTO_VERB
#		specifies the name of the operation to be performed
#		(prepare-host, prepare-client, up-host, up-client,
#		down-host, or down-client).  If the address family
#		for security gateway to security gateway
#		communications is IPv6, then a suffix of -v6 is added
#		to the verb.
#
#	PLUTO_CONNECTION
#		is the name of the  connection	for  which  we	are
#		routing.
#
#	PLUTO_CONN_POLICY
#		the policy of the connection, as in:
#		RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC
#		+failureDROP+lKOD+rKOD
#
#	PLUTO_NEXT_HOP
#		is the next hop to which packets bound for the peer
#		must be sent.
#
#	PLUTO_INTERFACE
#		is the name of the ipsec interface to be used.
#
#	PLUTO_ME
#		is the IP address of our host.
#
#	PLUTO_METRIC
#		is the metric to set for the route
#
#	PLUTO_MTU
#		is the mtu to set for the route
#
#	PLUTO_MY_CLIENT
#		is the IP address / count of our client subnet.	 If
#		the  client  is	 just  the  host,  this will be the
#		host's own IP address / mask (where max	is  32	for
#		IPv4 and 128 for IPv6).
#
#	PLUTO_MY_CLIENT_NET
#		is the IP address of our client net.  If the client
#		is just the host, this will be the  host's  own	 IP
#		address.
#
#	PLUTO_MY_CLIENT_MASK
#		is  the	 mask for our client net.  If the client is
#		just the host, this will be 255.255.255.255.
#
#	PLUTO_MY_SOURCEIP
#		if non-empty, then the source address for the route will be
#		set to this IP address.
#
#	PLUTO_MY_PROTOCOL
#		is the protocol	 for this  connection.	Useful	for
#		firewalling.
#
#	PLUTO_MY_PORT
#		is the port. Useful for firewalling.
#
#	PLUTO_PEER
#		is the IP address of our peer.
#
#	PLUTO_PEER_CLIENT
#		is the IP address / count of the peer's client subnet.
#		If the client is just the peer, this will be
#		the peer's own IP address / mask (where	max  is	 32
#		for IPv4 and 128 for IPv6).
#
#	PLUTO_PEER_CLIENT_NET
#		is the IP address of the peer's client net.  If the
#		client is just the peer, this will  be	the  peer's
#		own IP address.
#
#	PLUTO_PEER_CLIENT_MASK
#		is  the	 mask  for  the	 peer's client net.  If the
#		client	 is   just   the   peer,   this	  will	 be
#		255.255.255.255.
#
#	PLUTO_PEER_PROTOCOL
#		is  the	 protocol  set	for  remote  end  with port
#		selector.
#
#	PLUTO_PEER_PORT
#		is the peer's port. Useful for firewalling.
#
#	PLUTO_CFG_CLIENT=0|1
#		is MODECFG or IKEv2 Config client.
#
#	PLUTO_CFG_SERVER=0|1
#		is MODECFG or IKEv2 Config server.
#
#	PLUTO_CONNECTION_TYPE
#
#	PLUTO_CONN_ADDRFAMILY
#		is the family type, "ipv4" or "ipv6"
#
#	PLUTO_PROTO_STACK
#		is the local IPsec kernel stack used, eg KLIPS, NETKEY,
#		MAST, NOSTACK
#
#	PLUTO_IS_PEER_CISCO=0|1
#		remote server type is cisco. Add support for cisco extensions
#		when used with xauth.
#
#	PLUTO_NM_CONFIGURED=0|1
#		is NetworkManager used for resolv.conf update
#
#	PLUTO_SA_REQID
#		When using KAME or XFRM/NETKEY, the IPsec SA reqid base value.
#		ESP/AH out is base, ESP/AH in = base + 1
#		IPCOMP is base + 2 plus for inbound + 1
#
#	PLUTO_SA_TYPE
#		The type of IPsec SA (ESP or AH)
#
#	PLUTO_USERNAME
#		The username (XAUTH or GSSAPI) that was authenticated (if any)
#		for this SA
#
#	XAUTH_FAILED
#		If xauthfail=soft this will be set to 1 if XAUTH authentication
#		failed. If xauthfail=hard, the updown scripts never run.
#
#	CONNMARK
#		If mark= is set on the connection, this variable will be
#		set with the value. It can be used for iptables or VTI.
#
#	VTI_IFAC=iface
#		Name of VTI interface to create
#
#	VTI_ROUTING=yes|no
#		Whether or not to perform ip rule and ip route commands
#		covering the IPsec SA address ranges to route those packets
#		into the VTI_IFACE interface. This should be enabled unless
#		the IPsec SA covers 0.0.0.0/0 <-> 0.0.0.0/0
#
#	VTI_SHARED=yes|no
#		Whether or not more conns (or instances) share a VTI device.
#               If not shared, the VTI device is deleted when tunnel goes down.
#
#	SPI_IN / SPI_OUT
#		The inbound and outbound SPI's of the connection.

# rpm based systems
if [ -f /etc/sysconfig/pluto_updown ]; then
    . /etc/sysconfig/pluto_updown
# deb based systems
elif [ -f /etc/default/pluto_updown ]; then
    . /etc/default/pluto_updown
fi

BACKUP_RESOLV_CONF=/run/pluto/libreswan-resolv-conf-backup
ETC_RESOLV_CONF=/etc/resolv.conf
MAX_CIDR=32	# for ipv4
[ "${PLUTO_CONN_ADDRFAMILY}" = ipv6 ] &&  MAX_CIDR=128
SCOPE=50	# Use scope 50 to verify ip was added by addsource()

# Ignore parameter custom
if [ "${1}" = "custom" ]; then
    shift
fi

while [ $# -gt 0 ]; do
    case ${1} in
	--route)
	    case ${2} in
		[Yy]*)
		    ROUTE=yes
		    ;;
		*)
		    ROUTE=
		    ;;
	    esac
	    shift; shift
	    ;;
	--iproute)
	    IPRARGS="${2}"
	    shift; shift
	    ;;
	*)
	    echo "$0: Unknown argument \"${1}\"" >&2
	    exit 1
	    ;;
    esac
done

# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
    doproxyarp add
    doroute replace
    ip route flush cache
}

downroute() {
    doroute del
    ip route flush cache
    doproxyarp delete
}

downrule() {
    if [ -n "${PLUTO_MY_SOURCEIP}" -a 0${PLUTO_IS_PEER_CISCO} -eq 1 ]; then
	doroute del
	ip route flush cache
    fi
}

updateresolvconf() {
    local domain
    local nameserver
    local new_nameserver
    local new_resolv_conf
    local new_search
    local orig_domain
    local orig_nameserver
    local rc
    rc=0
    if [ 0${PLUTO_CFG_CLIENT} -eq 0 ]; then
	return ${rc}
    fi
    if [ -n "$(pidof unbound)" -a \
	-n "${PLUTO_PEER_DNS_INFO}" -a \
	-n "${PLUTO_PEER_DOMAIN_INFO}" ]
    then
	for domain in ${PLUTO_PEER_DOMAIN_INFO}; do
	    echo "updating local nameserver for ${domain} with ${PLUTO_PEER_DNS_INFO}"
	    unbound-control forward_add ${domain} \
		${PLUTO_PEER_DNS_INFO}
	    unbound-control flush_zone ${domain}
	    unbound-control flush_requestlist
	done
	rc=$?
    elif [ 0${PLUTO_NM_CONFIGURED} -eq 0 -a \
	-n "${PLUTO_PEER_DNS_INFO}" ]
    then
	echo "updating resolvconf"

if [ ! -e "${ETC_RESOLV_CONF}" ]; then
	    echo "resolv.conf does not exist, so doing nothing"
	    return 0
	fi

if [ -e "${BACKUP_RESOLV_CONF}" ]; then
	    if grep -q Libreswan "${ETC_RESOLV_CONF}"; then
		echo "Current resolv.conf is generated by Libreswan, and backup resolv.conf already exists, so doing nothing"
		return 0
	    else
		echo "backup resolv.conf exists, but current resolv.conf is not generated by Libreswan"
	    fi
	fi

rm -f -- "${BACKUP_RESOLV_CONF}"
	cp -- "${ETC_RESOLV_CONF}" "${BACKUP_RESOLV_CONF}"

new_resolv_conf="# Generated by Libreswan (IPsec)"

orig_domain="$(grep ^domain "${ETC_RESOLV_CONF}" 2>/dev/null | \
	    awk '{ print $2 }')"

orig_search=$(grep ^search "${ETC_RESOLV_CONF}" 2>/dev/null | \
	    sed 's/^search[[:space:]]\+//;s/[[:space:]]*\#.*//')

if [ -n "${orig_domain}" ]; then
	    new_resolv_conf="${new_resolv_conf}
domain ${orig_domain}"
	fi

if [ -n "${orig_search}" ]; then
	    new_search="${orig_search}"
	elif [ -n "${orig_domain}" ]; then
	    new_search="${orig_domain}"
	fi

if [ -n "${PLUTO_PEER_DOMAIN_INFO}" ]; then
	    if [ -n "${new_search}" ]; then
		new_search=$(echo $(echo "${new_search} ${PLUTO_PEER_DOMAIN_INFO}" | tr [:space:] '\n' | awk '!a[$0]++'))
	    else
		new_search="${PLUTO_PEER_DOMAIN_INFO}"
	    fi
	fi

if [ -n "${new_search}" ]; then
	    new_resolv_conf="${new_resolv_conf}
search ${new_search}"
	fi

orig_nameserver=$(grep --max-count 1 ^nameserver "${ETC_RESOLV_CONF}" | \
	    sed 's/^nameserver[[:space:]]\+//;s/[[:space:]]*\#.*//')
	if [ -n "${orig_nameserver}" ]; then
	    new_nameserver=$(echo $(echo "${PLUTO_PEER_DNS_INFO} ${orig_nameserver}" | tr [:space:] '\n' | awk '!a[$0]++'))
	else
	    new_nameserver="${PLUTO_PEER_DNS_INFO}"
	fi

for nameserver in ${new_nameserver}; do
	    new_resolv_conf="${new_resolv_conf}
nameserver ${nameserver}"
	done

rm -f -- "${ETC_RESOLV_CONF}"
	echo "${new_resolv_conf}" > "${ETC_RESOLV_CONF}"
	rc=$?
    fi
    return ${rc}
}

restoreresolvconf() {
    local domain
    local rc
    rc=0
    if [ 0${PLUTO_CFG_CLIENT} -eq 0 ]; then
	return ${rc}
    fi
    if [ -n "$(pidof unbound)" -a \
	-n "${PLUTO_PEER_DNS_INFO}" -a \
	-n "${PLUTO_PEER_DOMAIN_INFO}" ]
    then
	for domain in ${PLUTO_PEER_DOMAIN_INFO}; do
	    echo "flushing local nameserver of ${domain}"
	    unbound-control forward_remove ${domain}
	    unbound-control flush_zone ${domain}
	    unbound-control flush_requestlist
	done
	rc=$?
    elif [ 0${PLUTO_NM_CONFIGURED} -eq 0 ]; then
	echo "restoring resolvconf"
	if [ ! -e "${BACKUP_RESOLV_CONF}" ]; then
	    echo "Problem in restoring the resolv.conf, as there is no backup file"
	    return 2
	fi

if grep -q Libreswan "${ETC_RESOLV_CONF}" 2>/dev/null; then
	    cp -- "${BACKUP_RESOLV_CONF}" "${ETC_RESOLV_CONF}"
	else
	    echo "Current resolv.conf is not generated by Libreswan, so doing nothing"
	fi

rm -f -- "${BACKUP_RESOLV_CONF}"
	rc=0
    fi
    return ${rc}
}

notifyNM() {
    # This will be called whenever a connection is established or
    # fails to establish (either phase 1, xauth phase, or phase 2)
    # or whenever an already established connection is being terminated.
    # This will send a singal to NetworkManager over dbus so that NM
    # can keep track of the coonnections.

if [ 0${PLUTO_NM_CONFIGURED} -eq 1 ]; then
	echo "sending $1 signal to NetworkManager"
	libreswan_reason=$1
	export libreswan_reason
	export PLUTO_PEER_DOMAIN_INFO
	export PLUTO_PEER_DNS_INFO
	export PLUTO_PEER_BANNER
	export PLUTO_MY_SOURCEIP
	export PLUTO_PEER
	[ -x /usr/libexec/nm-libreswan-service-helper ] && \
	    /usr/libexec/nm-libreswan-service-helper
    fi
    return 0
}

addsource() {
    local interface
    local st
    interface=lo
    st=0
    if [ -z "${PLUTO_MY_SOURCEIP}" ]; then
        return ${st}
    fi
    # check if given sourceip is local and add as alias if not
    if ! ip -o route get ${PLUTO_MY_SOURCEIP} | grep -q ^local; then
	if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then
	    interface="${VTI_IFACE}"
	fi
	it="ip addr add ${PLUTO_MY_SOURCEIP}/${MAX_CIDR} dev ${interface} scope ${SCOPE}"
	oops="$(eval ${it} 2>&1)"
	st=$?
	if [ -z "${oops}" -a ${st} -ne 0 ]; then
	    oops="silent error, exit status ${st}"
	fi
	case "${oops}" in
	    'RTNETLINK answers: File exists'*)
		# should not happen, but ... ignore if the
		# address was already assigned on interface
		oops=""
		st=0
		;;
	esac
	if [ -n "${oops}" -o ${st} -ne 0 ]; then
	    echo "$0: addsource \"${it}\" failed (${oops})" >&2
	fi
    fi
    return ${st}
}

delsource() {
    local interface
    local st
    interface=lo
    st=0
    if [ -z "${PLUTO_MY_SOURCEIP}" ]; then
        return ${st}
    fi
    # Remove source ip if it's not used any more.
    if [ $(ip -o route list src ${PLUTO_MY_SOURCEIP} | wc -l) -eq 0 ]; then
	if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then
	    interface="${VTI_IFACE}"
	fi
	# If there is no ip we just return
	if ! ip -o addr list dev ${interface} scope ${SCOPE} | \
	    grep -q ${PLUTO_MY_SOURCEIP}/${MAX_CIDR}
	then
	    return ${st}
	fi
	it="ip addr del ${PLUTO_MY_SOURCEIP}/${MAX_CIDR} dev ${interface}"
	oops="$(eval ${it} 2>&1)"
	st=$?
	if [ -z "${oops}" -a ${st} -ne 0 ]; then
	    oops="silent error, exit status ${st}"
	fi
	case "${oops}" in
	    'RTNETLINK answers: File exists'*)
		# should not happen, but ... ignore if the
		# address was already assigned on interface
		oops=""
		st=0
		;;
	    'RTNETLINK answers: Cannot assign'*)
		# Address is not there to remove or is there with different
		# netmask and in that case we must not remove it so we ignore
		# the error.
		oops=""
		st=0
		;;
	esac
	if [ -n "${oops}" -o ${st} -ne 0 ]; then
	    echo "$0: delsource \"${it}\" failed (${oops})" >&2
	fi
    fi
    return ${st}
}

doproxyarp() {
    local cmd
    cmd=${1}
    # Check if client has a single ip only client net
    if [ ${PLUTO_PEER_CLIENT#*/} = ${MAX_CIDR} ]; then
	# Skip OE special connections and direct host-host connections
	if [ "${PLUTO_PEER_CLIENT_NET}" = "0.0.0.0" -o \
	    "${PLUTO_PEER_CLIENT_NET}" = "::" -o \
	    "${PLUTO_PEER_CLIENT_NET}" = "${PLUTO_PEER}" -o \
	    "${PLUTO_MY_CLIENT_NET}" = "${PLUTO_ME}" ]
	then
	    return 0
	fi
	# check if client is routeable
	if ip -o route get ${PLUTO_PEER_CLIENT_NET} | \
	    egrep -q -s -v " via |^local"; then
	    iface=$(ip -o route get ${PLUTO_PEER_CLIENT_NET} | \
		awk '{print $3}')
	    if [ -r /sys/class/net/${iface}/address ]; then
		macaddr=$(cat /sys/class/net/${iface}/address)
	    fi
	    # add/remove arp entry for the client on ethernet devices only
	    if [ -n "${macaddr}" ]; then
		if [ "${cmd}" = "add" ]; then
		    ip neigh add proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface} \
			lladdr ${macaddr} nud permanent
		    # Force routing, required for proxyarp to work
		    ROUTE=yes
		    export ROUTE
		else
		    ip neigh del proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface}
		fi
	    fi
	fi
    fi
}

doroute() {
    local cmd
    local oops
    local st
    cmd=${1}
    st=0
    if [ ${cmd} != del ]; then
	oops="$(eval ip route get ${PLUTO_PEER_CLIENT} 2>&1)"
	case "${oops}" in
	    'RTNETLINK answers: No route to host'*)
		# Routing is mandatory for IPsec
		ROUTE=yes
		;;
	esac
    fi
    # skip routing if it's not enabled or necessary
    if [ -z "${PLUTO_MY_SOURCEIP}" -a \
	-z "${PLUTO_MTU}" -a \
	"${ROUTE}" != "yes" -a \
	"${cmd}" != "del" ]
    then
	return 0
    fi
    parms="${PLUTO_PEER_CLIENT}"
    parms2=${IPRARGS}
    # nexthop is not needed on ppp interfaces. unset it to make cases
    # work, where left is set but no leftnexthop (e.g. left=%defaultroute)
    if ip link show "${PLUTO_INTERFACE%:*}" | grep -q POINTOPOINT; then
	POINTPOINT=yes
    fi
    # use nexthop if nexthop is not %direct and POINTPOINT is not set
    if [ "${PLUTO_NEXT_HOP}" != "${PLUTO_PEER}" -a -z "${POINTPOINT}" ]; then
	parms2="via ${PLUTO_NEXT_HOP}"
    fi
    # route via proper interface according to routing table
    if [ "${cmd}" = "del" ]; then
	case "${PLUTO_PEER_CLIENT}" in
	    "0.0.0.0/0")
		# in case of default route we use half routes
		peer_interface=$(ip -o route list exact 0.0.0.0/1 | \
		    sed "s/^.*dev $[^ ]*$ .*/\1/")
		;;
	    *)
		peer_interface=$(ip -o route get ${PLUTO_PEER_CLIENT} | \
		    sed "s/^.*dev $[^ ]*$ .*/\1/")
		;;
	esac
    else
	peer_interface=$(ip -o route get ${PLUTO_NEXT_HOP} | \
	    sed "s/^.*dev $[^ ]*$ .*/\1/")
    fi
    if [ -n "${VTI_IFACE}" ]; then
	addsource
	peer_interface="${VTI_IFACE}"
    fi
    if [ -z "${peer_interface}" ]; then
	peer_interface=${PLUTO_INTERFACE}
    fi
    parms2="${parms2} dev ${peer_interface%:*}${PLUTO_MTU:+ mtu ${PLUTO_MTU}}${PLUTO_METRIC:+ metric ${PLUTO_METRIC}} $IPROUTEARGS"

# make sure whe have sourceip locally in this machine
    if [ "${cmd}" = "replace" -a -n "${PLUTO_MY_SOURCEIP}" ]; then
	addsource
	# use sourceip as route default source
	parms2="${parms2} src ${PLUTO_MY_SOURCEIP}"
    fi

case "${PLUTO_PEER_CLIENT}" in
	"0.0.0.0/0")
	    # need to provide route that eclipses default, without
	    # replacing it.
	    it="ip route ${cmd} 0.0.0.0/1 ${parms2} && ip route ${cmd} 128.0.0.0/1 ${parms2}"
	    ;;
	*)
	    it="ip route ${cmd} ${parms} ${parms2}"
	    ;;
    esac
    oops="$(eval ${it} 2>&1)"
    st=$?
    if [ -z "${oops}" -a ${st} -ne 0 ]; then
	oops="silent error, exit status ${st}"
    fi
    case "${oops}" in
	'RTNETLINK answers: No such process'*)
	    # should not happen, but ... ignore if the
	    # route was already removed
	    oops=""
	    st=0
	    ;;
    esac
    if [ -n "${oops}" -o ${st} -ne 0 ]; then
	echo "$0: doroute \"${it}\" failed (${oops})" >&2
    fi
    return ${st}
}

# TODO: We need to specify CIDR mask but our _MASK variables are in old school format
# TODO: Exclude udp 4500 traffic
addnflog() {
    if [ -n "${NFLOG}" ]; then
	iptables -I OUTPUT -m policy --dir out --pol ipsec \
	    -s ${PLUTO_MY_CLIENT} -d ${PLUTO_PEER_CLIENT} \
	    -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION}
	iptables -I INPUT  -m policy --dir in --pol ipsec \
	    -s ${PLUTO_PEER_CLIENT} -d ${PLUTO_MY_CLIENT} \
	    -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION}
    fi
}

delnflog() {
    if [ -n "${NFLOG}" ]; then
	iptables -D OUTPUT -m policy --dir out --pol ipsec \
	    -s ${PLUTO_MY_CLIENT} -d ${PLUTO_PEER_CLIENT} \
	    -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION}
	iptables -D INPUT  -m policy --dir in --pol ipsec \
	    -s ${PLUTO_PEER_CLIENT} -d ${PLUTO_MY_CLIENT} \
	    -j NFLOG --nflog-group ${NFLOG} --nflog-prefix ${PLUTO_CONNECTION}
    fi
}

addvtiiface() {
    if [ -n "${VTI_IFACE}" ]; then
	if [ -z "${CONNMARK_IN}" -o -z "${CONNMARK_OUT}" ]; then
	    echo "vti-interface option ignored because no mark was configured"
	else
	    if [ ! -d "/proc/sys/net/ipv4/conf/${VTI_IFACE}" ]; then
		# echo "creating vti interface"
		vtipeer="${PLUTO_PEER}"
		if [ "${PLUTO_CONN_KIND}" = CK_INSTANCE -o "${VTI_SHARED}" = "yes" ]; then
		    vtipeer="0.0.0.0"
		fi
		ip tunnel add ${VTI_IFACE} mode vti local ${PLUTO_ME} \
		    remote ${vtipeer} okey ${CONNMARK_OUT%/*} \
		    ikey ${CONNMARK_IN%/*}
		sysctl -w net.ipv4.conf.${VTI_IFACE}.disable_policy=1
		sysctl -w net.ipv4.conf.${VTI_IFACE}.rp_filter=0
		sysctl -w net.ipv4.conf.${VTI_IFACE}.forwarding=1
		if [ -n "${VTI_IP}" ]; then
		   ip addr add ${VTI_IP} dev ${VTI_IFACE}
		fi
		ip link set ${VTI_IFACE} up
	    else
		# check there was no conflict if we are sharing - might be sensitive to /sbin/ip differences
		if [ "${VTI_SHARED}" = yes ]; then
			#test: ip/ip remote 3.4.5.6 local 1.2.3.4 ttl inherit key 5
			cur="$(ip tun show ${VTI_IFACE})"
			new="${VTI_IFACE}: ip/ip  remote any  local ${PLUTO_ME}  ttl inherit  key ${CONNMARK_OUT%/*}"
			if [ "${cur}" != "${new}" ]; then
				echo "vti interface \"${VTI_IFACE}\" already exists with conflicting setting"
				echo "existing: ${cur}"
				echo "wanted  : ${new}"
			else
				# temp debug
				echo "vti interface already exists with identical parameters, OK"
			fi
		else
			echo "vti interface \"${VTI_IFACE}\" already exists with conflicting setting (perhaps need vti-sharing=yes ?"
		fi
	    fi
	fi
    fi
}

addvti() {
    if [ -n "${VTI_IFACE}" ]; then
	if [ -z "${CONNMARK_IN}" -o -z "${CONNMARK_OUT}" ]; then
	    echo "vti-interface option ignored because no mark was configured"
	else
	    if [ "${VTI_ROUTING}" = yes ]; then
		# Tuomo should improve this with using ${PLUTO_MY_CLIENT_NET}
		# echo "setting up vti routing"
		r=add
		ip route list | grep -q "${PLUTO_PEER_CLIENT%/*}" && r=change
		if [ "${r}" = change ]; then
		    # resolve LAN conflict by forcing host route for default gw
		    gw="$(ip ro li | grep ^default | awk '{ print $3;}')"
		    gwdev="$(ip ro li | grep ^default | awk '{ print $5;}')"
		    # echo "ip route add ${gw} dev ${gwdev}"
		    ip route add ${gw} dev ${gwdev} >/dev/null ||:
		fi
		srcip=""
		if [ -n "${PLUTO_MY_SOURCEIP}" ]; then
		    srcip=" src ${PLUTO_MY_SOURCEIP}"
		fi
		# echo "ip route ${r} ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} ${srcip}"
		ip route ${r} ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} ${srcip}
		echo "done ip route"
	    fi
	fi
    fi
}

delvti() {
    if [ -n "${VTI_IFACE}" -a -d /proc/sys/net/ipv4/conf/${VTI_IFACE} ]; then
	if [ "${VTI_ROUTING}" = yes ]; then
		ip route del ${PLUTO_PEER_CLIENT} dev ${VTI_IFACE} \
			src ${PLUTO_MY_SOURCEIP} ||:
	fi
	# TODO: we can't delete vti interface because we don't have proper reference
	# counting.
	#if [ "${VTI_SHARED}" = no -a "${PLUTO_CONN_KIND}" != CK_INSTANCE ]; then
	#	ip tun del ${VTI_IFACE} ||:
	#fi
   fi
}

# Client Address Translation CAT
addcat() {
    if [ -n "${CAT}" ] && [ "${PLUTO_MY_CLIENT_NET}" != "0.0.0.0" ] ; then
	iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec \
	    -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET}
	iptables -t nat -I PREROUTING -m policy --dir in --pol ipsec \
	    -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
	    -j DNAT --to-destination ${PLUTO_ME}
    fi
}

delcat() {
    if [ -n "${CAT}" ]; then
	iptables -t nat -D PREROUTING -m policy --dir in --pol ipsec  \
	    -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
	    -j DNAT --to-destination ${PLUTO_ME}
	iptables -t nat -D POSTROUTING -m policy --dir out --pol ipsec \
	    -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET}
    fi
}

# the big choice
case "${PLUTO_VERB}" in
    prepare-host|prepare-client)
	addvtiiface
	;;
    route-host|route-client)
	# connection to me or my client subnet being routed
	addvti
	uproute
	addnflog
	;;
    unroute-host|unroute-client)
	# connection to me or my client subnet being unrouted
	downroute
	delsource
	;;
    up-host)
	# connection to me coming up
	# If you are doing a custom version, firewall commands go here.
	;;
    down-host)
	# connection to me going down
	downrule
	delnflog
	delcat
	delvti
	# If you are doing a custom version, firewall commands go here.
	;;
    up-client)
	# connection to my client subnet coming up
	# If you are doing a custom version, firewall commands go here.
	addvtiiface
	updateresolvconf
	addcat
	addsource
	notifyNM connect
	;;
    down-client)
	# connection to my client subnet going down
	downrule
	delnflog
	delcat
	delvti
	# If you are doing a custom version, firewall commands go here.
	restoreresolvconf
	notifyNM disconnect
	;;
    #
    # IPv6
    #
    prepare-host-v6|prepare-client-v6)
	# prepare client for connection
	;;
    route-host-v6|route-client-v6)
	# connection to me or my client subnet being routed
	;;
    unroute-host-v6|unroute-client-v6)
	# connection to me or my client subnet being unrouted
	;;
    up-host-v6)
	# connection to me coming up
	# If you are doing a custom version, firewall commands go here.
	;;
    down-host-v6)
	# connection to me going down
	# If you are doing a custom version, firewall commands go here.
	;;
    up-client-v6)
	# connection to my client subnet coming up
	# If you are doing a custom version, firewall commands go here.
	;;
    down-client-v6)
	# connection to my client subnet going down
	# If you are doing a custom version, firewall commands go here.
	;;
    *)	echo "$0: unknown verb \"${PLUTO_VERB}\" or parameter \"${1}\"" >&2
	exit 1
	;;
esac

X7ROOT File Manager

Editing: _updown.netkey

Upload File

Create Folder