[strongswan.git] / src / _updown_espmark / _updown_espmark

#! /bin/sh
# iproute2 version, default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
# Copyright (C) 2002-2004 Michael Richardson
# Copyright (C) 2005      Andreas Steffen <andreas.steffen@strongsec.com>
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.



# CAUTION:  Installing a new version of strongSwan will install a new
# copy of this script, wiping out any custom changes you make.  If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.

# things that this script gets (from ipsec_pluto(8) man page)
#
#
#      PLUTO_VERSION
#              indicates  what  version of this interface is being
#              used.  This document describes version  1.1.   This
#              is upwardly compatible with version 1.0.
#
#       PLUTO_VERB
#              specifies the name of the operation to be performed
#              (prepare-host, prepare-client, up-host, up-client,
#              down-host, or down-client).  If the address family
#              for security gateway to security gateway communica-
#              tions is IPv6, then a suffix of -v6 is added to the
#              verb.
#
#       PLUTO_CONNECTION
#              is the name of the  connection  for  which  we  are
#              routing.
#
#       PLUTO_NEXT_HOP
#              is the next hop to which packets bound for the peer
#              must be sent.
#
#       PLUTO_INTERFACE
#              is the name of the ipsec interface to be used.
#
#       PLUTO_ME
#              is the IP address of our host.
#
#       PLUTO_MY_ID
#              is the ID of our host.
#
#       PLUTO_MY_CLIENT
#              is the IP address / count of our client subnet.  If
#              the  client  is  just  the  host,  this will be the
#              host's own IP address / max (where max  is  32  for
#              IPv4 and 128 for IPv6).
#
#       PLUTO_MY_CLIENT_NET
#              is the IP address of our client net.  If the client
#              is just the host, this will be the  host's  own  IP
#              address.
#
#       PLUTO_MY_CLIENT_MASK
#              is  the  mask for our client net.  If the client is
#              just the host, this will be 255.255.255.255.
#
#       PLUTO_MY_SOURCEIP
#              if non-empty, then the source address for the route will be
#              set to this IP address.
#
#       PLUTO_MY_PROTOCOL
#              is the IP protocol that will be transported.
#
#       PLUTO_MY_PORT
#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
#              restricted on our side.
#
#       PLUTO_PEER
#              is the IP address of our peer.
#
#       PLUTO_PEER_ID
#              is the ID of our peer.
#
#       PLUTO_PEER_CA
#              is the CA which issued the cert of our peer.
#
#       PLUTO_PEER_CLIENT
#              is the IP address / count of the peer's client sub-
#              net.   If the client is just the peer, this will be
#              the peer's own IP address / max (where  max  is  32
#              for IPv4 and 128 for IPv6).
#
#       PLUTO_PEER_CLIENT_NET
#              is the IP address of the peer's client net.  If the
#              client is just the peer, this will  be  the  peer's
#              own IP address.
#
#       PLUTO_PEER_CLIENT_MASK
#              is  the  mask  for  the  peer's client net.  If the
#              client   is   just   the   peer,   this   will   be
#              255.255.255.255.
#
#       PLUTO_PEER_PROTOCOL
#              is the IP protocol that will be transported.
#
#       PLUTO_PEER_PORT
#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
#              restricted on the peer side.
#

# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice                   -/var/log/vpn
#

# check interface version
case "$PLUTO_VERSION" in
1.[0])  # Older Pluto?!?  Play it safe, script may be using new features.
        echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
        echo "$0:       called by obsolete Pluto?" >&2
        exit 2
        ;;
1.*)    ;;
*)      echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
        exit 2
        ;;
esac

# check parameter(s)
case "$1:$*" in
':')                    # no parameters
        ;;
ipfwadm:ipfwadm)        # due to (left/right)firewall; for default script only
        ;;
custom:*)               # custom parameters (see above CAUTION comment)
        ;;
*)      echo "$0: unknown parameters \`$*'" >&2
        exit 2
        ;;
esac

# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
        doroute add
        ip route flush cache
}
downroute() {
        doroute delete
        ip route flush cache
}

addsource() {
        st=0
        if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
        then
            it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
            oops="`eval $it 2>&1`"
            st=$?
            if test " $oops" = " " -a " $st" != " 0"
            then
                oops="silent error, exit status $st"
            fi
            if test " $oops" != " " -o " $st" != " 0"
            then
                echo "$0: addsource \`$it' failed ($oops)" >&2
            fi
        fi
        return $st
}

doroute() {
        st=0
        parms="$PLUTO_PEER_CLIENT"

        parms2=
        if [ -n "$PLUTO_NEXT_HOP" ]
        then
           parms2="via $PLUTO_NEXT_HOP"
        fi
        parms2="$parms2 dev $PLUTO_INTERFACE"

        if [ -z "$PLUTO_MY_SOURCEIP" ]
        then
            if [ -f /etc/sysconfig/defaultsource ]
            then
                . /etc/sysconfig/defaultsource
            fi

            if [ -f /etc/conf.d/defaultsource ]
            then
                . /etc/conf.d/defaultsource
            fi

            if [ -n "$DEFAULTSOURCE" ]
            then
                PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
            fi
        fi

        parms3=
        if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
        then
            addsource
            parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
        fi

        case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
        "0.0.0.0/0.0.0.0")
                # opportunistic encryption work around
                # need to provide route that eclipses default, without 
                # replacing it.
                it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
                        ip route $1 128.0.0.0/1 $parms2 $parms3"
                ;;
        *)      it="ip route $1 $parms $parms2 $parms3"
                ;;
        esac
        oops="`eval $it 2>&1`"
        st=$?
        if test " $oops" = " " -a " $st" != " 0"
        then
            oops="silent error, exit status $st"
        fi
        if test " $oops" != " " -o " $st" != " 0"
        then
            echo "$0: doroute \`$it' failed ($oops)" >&2
        fi
        return $st
}
 
# define ESP mark
ESP_MARK=50

# add the following static rule to the INPUT chain in the mangle table
# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50

# NAT traversal via UDP encapsulation is supported with the rule
# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50

# in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
then
        CHECK_MARK=""
else
        CHECK_MARK="-m mark --mark $ESP_MARK"
fi

# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
        S_MY_PORT="--sport $PLUTO_MY_PORT"
        D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
        S_PEER_PORT="--sport $PLUTO_PEER_PORT"
        D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi

# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`

# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
        # delete possibly-existing route (preliminary to adding a route)
        case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
        "0.0.0.0/0.0.0.0")
                # need to provide route that eclipses default, without 
                # replacing it.
                parms1="0.0.0.0/1"
                parms2="128.0.0.0/1"
                it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
                oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
                ;;
        *)
                parms="$PLUTO_PEER_CLIENT"
                it="ip route delete $parms 2>&1"
                oops="`ip route delete $parms 2>&1`"
                ;;
        esac
        status="$?"
        if test " $oops" = " " -a " $status" != " 0"
        then
                oops="silent error, exit status $status"
        fi
        case "$oops" in
        *'RTNETLINK answers: No such process'*) 
                # This is what route (currently -- not documented!) gives
                # for "could not find such a route".
                oops=
                status=0
                ;;
        esac
        if test " $oops" != " " -o " $status" != " 0"
        then
                echo "$0: \`$it' failed ($oops)" >&2
        fi
        exit $status
        ;;
route-host:*|route-client:*)
        # connection to me or my client subnet being routed
        uproute
        ;;
unroute-host:*|unroute-client:*)
        # connection to me or my client subnet being unrouted
        downroute
        ;;
up-host:*)
        # connection to me coming up
        # If you are doing a custom version, firewall commands go here.
        iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
            -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
        iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
            -s $PLUTO_ME $S_MY_PORT \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
        #
        if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
        then
          logger -t $TAG -p $FAC_PRIO \
            "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
        else
          logger -t $TAG -p $FAC_PRIO \
            "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
        fi
        ;;
down-host:*)
        # connection to me going down
        # If you are doing a custom version, firewall commands go here.
        # connection to me going down
        # If you are doing a custom version, firewall commands go here.
        iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
            -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
        iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
            -s $PLUTO_ME $S_MY_PORT \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
        #
        if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
        then
          logger -t $TAG -p $FAC_PRIO -- \
            "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
        else
          logger -t $TAG -p $FAC_PRIO -- \
          "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
        fi
        ;;
up-client:)
        # connection to my client subnet coming up
        # If you are doing a custom version, firewall commands go here.
        iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
        iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
               $CHECK_MARK -j ACCEPT
        #
        if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
        then
          logger -t $TAG -p $FAC_PRIO \
            "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
        else
          logger -t $TAG -p $FAC_PRIO \
            "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
        fi
        ;;
down-client:)
        # connection to my client subnet going down
        # If you are doing a custom version, firewall commands go here.
        iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
        iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
               $CHECK_MARK -j ACCEPT
        #
        if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
        then
          logger -t $TAG -p $FAC_PRIO -- \
            "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
        else
          logger -t $TAG -p $FAC_PRIO -- \
            "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
        fi
        ;;
up-client:ipfwadm)
        # connection to client subnet, with (left/right)firewall=yes, coming up
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
        ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
down-client:ipfwadm)
        # connection to client subnet, with (left/right)firewall=yes, going down
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
        ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
        ;;
route-host-v6:*|route-client-v6:*)
        # connection to me or my client subnet being routed
        #uproute_v6
        ;;
unroute-host-v6:*|unroute-client-v6:*)
        # connection to me or my client subnet being unrouted
        #downroute_v6
        ;;
up-host-v6:*)
        # connection to me coming up
        # If you are doing a custom version, firewall commands go here.
        ;;
down-host-v6:*)
        # connection to me going down
        # If you are doing a custom version, firewall commands go here.
        ;;
up-client-v6:)
        # connection to my client subnet coming up
        # If you are doing a custom version, firewall commands go here.
        ;;
down-client-v6:)
        # connection to my client subnet going down
        # If you are doing a custom version, firewall commands go here.
        ;;
*)      echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
        exit 1
        ;;
esac