removed recursive mutex and __USE_UNIX98, should fix uClibc build
[strongswan.git] / src / _updown / _updown.in
old mode 100755 (executable)
new mode 100644 (file)
index 8db74f7..2e9a8f5
@@ -4,7 +4,7 @@
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
 # Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
 # 
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the
@@ -131,7 +131,16 @@ FAC_PRIO=local0.notice
 # the syslog configuration file /etc/syslog.conf:
 #
 # local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=@IPSEC_ROUTING_TABLE@
 #
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=@IPSEC_ROUTING_TABLE_PRIO@
 
 # check interface version
 case "$PLUTO_VERSION" in
@@ -191,14 +200,6 @@ addsource() {
 
 doroute() {
        st=0
-       parms="$PLUTO_PEER_CLIENT"
-
-       parms2=
-       if [ -n "$PLUTO_NEXT_HOP" ]
-       then
-          parms2="via $PLUTO_NEXT_HOP"
-       fi
-       parms2="$parms2 dev $PLUTO_INTERFACE"
 
        if [ -z "$PLUTO_MY_SOURCEIP" ]
        then
@@ -218,11 +219,34 @@ doroute() {
            fi
         fi
 
+       if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+       then
+           # leave because no route entry is required
+           return $st
+       fi
+
+       parms1="$PLUTO_PEER_CLIENT"
+
+       if [ -n "$PLUTO_NEXT_HOP" ]
+       then
+           parms2="via $PLUTO_NEXT_HOP"
+       else
+           parms2="via $PLUTO_PEER"
+       fi      
+       parms2="$parms2 dev $PLUTO_INTERFACE"
+
        parms3=
-       if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
+       if [ -n "$PLUTO_MY_SOURCEIP" ]
        then
-           addsource
-           parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
+           if test "$1" = "add"
+           then
+               addsource
+               if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+               then
+                   ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+               fi
+           fi
+           parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
        fi
 
        case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
@@ -233,7 +257,7 @@ doroute() {
                it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
                        ip route $1 128.0.0.0/1 $parms2 $parms3"
                ;;
-       *)      it="ip route $1 $parms $parms2 $parms3"
+       *)      it="ip route $1 $parms1 $parms2 $parms3"
                ;;
        esac
        oops="`eval $it 2>&1`"
@@ -252,9 +276,11 @@ doroute() {
 # in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY 
 if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
 then
+       KLIPS=1
        IPSEC_POLICY_IN=""
        IPSEC_POLICY_OUT=""
 else
+       KLIPS=
        IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
        IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
        IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
@@ -275,6 +301,13 @@ fi
 # the big choice
 case "$PLUTO_VERB:$1" in
 prepare-host:*|prepare-client:*)
+       if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+       then
+           # exit because no route will be added,
+           # so that existing routes can stay
+           exit 0
+       fi
+
        # delete possibly-existing route (preliminary to adding a route)
        case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
        "0.0.0.0/0.0.0.0")