2 # iproute2 version, default updown script
4 # Copyright (C) 2003-2004 Nigel Meteringham
5 # Copyright (C) 2003-2004 Tuomo Soini
6 # Copyright (C) 2002-2004 Michael Richardson
7 # Copyright (C) 2005 Andreas Steffen <andreas.steffen@strongsec.com>
9 # This program is free software; you can redistribute it and/or modify it
10 # under the terms of the GNU General Public License as published by the
11 # Free Software Foundation; either version 2 of the License, or (at your
12 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 # This program is distributed in the hope that it will be useful, but
15 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 # CAUTION: Installing a new version of strongSwan will install a new
22 # copy of this script, wiping out any custom changes you make. If
23 # you need changes, make a copy of this under another name, and customize
24 # that, and use the (left/right)updown parameters in ipsec.conf to make
25 # FreeS/WAN use yours instead of this default one.
27 # things that this script gets (from ipsec_pluto(8) man page)
31 # indicates what version of this interface is being
32 # used. This document describes version 1.1. This
33 # is upwardly compatible with version 1.0.
36 # specifies the name of the operation to be performed
37 # (prepare-host, prepare-client, up-host, up-client,
38 # down-host, or down-client). If the address family
39 # for security gateway to security gateway communica-
40 # tions is IPv6, then a suffix of -v6 is added to the
44 # is the name of the connection for which we are
48 # is the next hop to which packets bound for the peer
52 # is the name of the ipsec interface to be used.
55 # is the IP address of our host.
58 # is the ID of our host.
61 # is the IP address / count of our client subnet. If
62 # the client is just the host, this will be the
63 # host's own IP address / max (where max is 32 for
64 # IPv4 and 128 for IPv6).
67 # is the IP address of our client net. If the client
68 # is just the host, this will be the host's own IP
71 # PLUTO_MY_CLIENT_MASK
72 # is the mask for our client net. If the client is
73 # just the host, this will be 255.255.255.255.
76 # if non-empty, then the source address for the route will be
77 # set to this IP address.
80 # is the IP protocol that will be transported.
83 # is the UDP/TCP port to which the IPsec SA is
84 # restricted on our side.
87 # is the IP address of our peer.
90 # is the ID of our peer.
93 # is the CA which issued the cert of our peer.
96 # is the IP address / count of the peer's client sub-
97 # net. If the client is just the peer, this will be
98 # the peer's own IP address / max (where max is 32
99 # for IPv4 and 128 for IPv6).
101 # PLUTO_PEER_CLIENT_NET
102 # is the IP address of the peer's client net. If the
103 # client is just the peer, this will be the peer's
106 # PLUTO_PEER_CLIENT_MASK
107 # is the mask for the peer's client net. If the
108 # client is just the peer, this will be
111 # PLUTO_PEER_PROTOCOL
112 # is the IP protocol that will be transported.
115 # is the UDP/TCP port to which the IPsec SA is
116 # restricted on the peer side.
119 # logging of VPN connections
121 # tag put in front of each log entry:
124 # syslog facility and priority used:
125 FAC_PRIO=local0.notice
127 # to create a special vpn logging file, put the following line into
128 # the syslog configuration file /etc/syslog.conf:
130 # local0.notice -/var/log/vpn
133 # check interface version
134 case "$PLUTO_VERSION" in
135 1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
136 echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
137 echo "$0: called by obsolete Pluto?" >&2
141 *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
150 ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
152 custom:*) # custom parameters (see above CAUTION comment)
154 *) echo "$0: unknown parameters \`$*'" >&2
159 # utility functions for route manipulation
160 # Meddling with this stuff should not be necessary and requires great care.
172 if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
174 it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
175 oops="`eval $it 2>&1`"
177 if test " $oops" = " " -a " $st" != " 0"
179 oops="silent error, exit status $st"
181 if test " $oops" != " " -o " $st" != " 0"
183 echo "$0: addsource \`$it' failed ($oops)" >&2
191 parms="$PLUTO_PEER_CLIENT"
194 if [ -n "$PLUTO_NEXT_HOP" ]
196 parms2="via $PLUTO_NEXT_HOP"
198 parms2="$parms2 dev $PLUTO_INTERFACE"
200 if [ -z "$PLUTO_MY_SOURCEIP" ]
202 if [ -f /etc/sysconfig/defaultsource ]
204 . /etc/sysconfig/defaultsource
207 if [ -f /etc/conf.d/defaultsource ]
209 . /etc/conf.d/defaultsource
212 if [ -n "$DEFAULTSOURCE" ]
214 PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
219 if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
222 parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
225 case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
227 # opportunistic encryption work around
228 # need to provide route that eclipses default, without
230 it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
231 ip route $1 128.0.0.0/1 $parms2 $parms3"
233 *) it="ip route $1 $parms $parms2 $parms3"
236 oops="`eval $it 2>&1`"
238 if test " $oops" = " " -a " $st" != " 0"
240 oops="silent error, exit status $st"
242 if test " $oops" != " " -o " $st" != " 0"
244 echo "$0: doroute \`$it' failed ($oops)" >&2
252 # add the following static rule to the INPUT chain in the mangle table
253 # iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
255 # NAT traversal via UDP encapsulation is supported with the rule
256 # iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
258 # in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
259 if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
263 CHECK_MARK="-m mark --mark $ESP_MARK"
266 # are there port numbers?
267 if [ "$PLUTO_MY_PORT" != 0 ]
269 S_MY_PORT="--sport $PLUTO_MY_PORT"
270 D_MY_PORT="--dport $PLUTO_MY_PORT"
272 if [ "$PLUTO_PEER_PORT" != 0 ]
274 S_PEER_PORT="--sport $PLUTO_PEER_PORT"
275 D_PEER_PORT="--dport $PLUTO_PEER_PORT"
278 # resolve octal escape sequences
279 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
280 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
283 case "$PLUTO_VERB:$1" in
284 prepare-host:*|prepare-client:*)
285 # delete possibly-existing route (preliminary to adding a route)
286 case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
288 # need to provide route that eclipses default, without
292 it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
293 oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
296 parms="$PLUTO_PEER_CLIENT"
297 it="ip route delete $parms 2>&1"
298 oops="`ip route delete $parms 2>&1`"
302 if test " $oops" = " " -a " $status" != " 0"
304 oops="silent error, exit status $status"
307 *'RTNETLINK answers: No such process'*)
308 # This is what route (currently -- not documented!) gives
309 # for "could not find such a route".
314 if test " $oops" != " " -o " $status" != " 0"
316 echo "$0: \`$it' failed ($oops)" >&2
320 route-host:*|route-client:*)
321 # connection to me or my client subnet being routed
324 unroute-host:*|unroute-client:*)
325 # connection to me or my client subnet being unrouted
329 # connection to me coming up
330 # If you are doing a custom version, firewall commands go here.
331 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
332 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
333 -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
334 iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
335 -s $PLUTO_ME $S_MY_PORT \
336 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
338 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
340 logger -t $TAG -p $FAC_PRIO \
341 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
343 logger -t $TAG -p $FAC_PRIO \
344 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
348 # connection to me going down
349 # If you are doing a custom version, firewall commands go here.
350 # connection to me going down
351 # If you are doing a custom version, firewall commands go here.
352 iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
353 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
354 -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
355 iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
356 -s $PLUTO_ME $S_MY_PORT \
357 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
359 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
361 logger -t $TAG -p $FAC_PRIO -- \
362 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
364 logger -t $TAG -p $FAC_PRIO -- \
365 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
369 # connection to my client subnet coming up
370 # If you are doing a custom version, firewall commands go here.
371 iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
372 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
373 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
374 iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
375 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
376 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
377 $CHECK_MARK -j ACCEPT
379 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
381 logger -t $TAG -p $FAC_PRIO \
382 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
384 logger -t $TAG -p $FAC_PRIO \
385 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
389 # connection to my client subnet going down
390 # If you are doing a custom version, firewall commands go here.
391 iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
392 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
393 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
394 iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
395 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
396 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
397 $CHECK_MARK -j ACCEPT
399 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
401 logger -t $TAG -p $FAC_PRIO -- \
402 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
404 logger -t $TAG -p $FAC_PRIO -- \
405 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
409 # connection to client subnet, with (left/right)firewall=yes, coming up
410 # This is used only by the default updown script, not by your custom
411 # ones, so do not mess with it; see CAUTION comment up at top.
412 ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
413 -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
416 # connection to client subnet, with (left/right)firewall=yes, going down
417 # This is used only by the default updown script, not by your custom
418 # ones, so do not mess with it; see CAUTION comment up at top.
419 ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
420 -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
425 prepare-host-v6:*|prepare-client-v6:*)
427 route-host-v6:*|route-client-v6:*)
428 # connection to me or my client subnet being routed
431 unroute-host-v6:*|unroute-client-v6:*)
432 # connection to me or my client subnet being unrouted
436 # connection to me coming up
437 # If you are doing a custom version, firewall commands go here.
440 # connection to me going down
441 # If you are doing a custom version, firewall commands go here.
444 # connection to my client subnet coming up
445 # If you are doing a custom version, firewall commands go here.
448 # connection to my client subnet going down
449 # If you are doing a custom version, firewall commands go here.
451 *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2