_updown.posix.in

This a good VPN source

#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001  D. Hugh Redelmeier, Henry Spencer
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown.posix.in,v 1.2 2003/10/28 21:36:17 dhr Exp $



# CAUTION:  Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make.  If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.


# For explanation of how this is invoked, see ipsec_pluto(8) man page


# check interface version
case "$PLUTO_VERSION" in
1.[0])	# Older Pluto?!?  Play it safe, script may be using new features.
	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
	echo "$0: 	called by obsolete Pluto?" >&2
	exit 2
	;;
1.*)	;;
*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
	exit 2
	;;
esac

# check parameter(s)
case "$1:$*" in
':')			# no parameters
	;;
ipfwadm:ipfwadm)	# due to (left/right)firewall; for default script only
	;;
custom:*)		# custom parameters (see above CAUTION comment)
	;;
*)	echo "$0: unknown parameters \`$*'" >&2
	exit 2
	;;
esac

# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
	doroute add
}
downroute() {
	doroute del
}
doroute() {
	parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
	parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
	"0.0.0.0/0.0.0.0")
		# horrible kludge for obscure routing bug with opportunistic
		it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
			route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
		;;
	*)	it="route $1 $parms $parms2"
		;;
	esac
	eval $it
	st=$?
	if test $st -ne 0
	then
		# route has already given its own cryptic message
		echo "$0: \`$it' failed" >&2
		if test " $1 $st" = " add 7"
		then
			# another totally undocumented interface -- 7 and
			# "SIOCADDRT: Network is unreachable" means that
			# the gateway isn't reachable.
			echo "$0: (incorrect or missing nexthop setting??)" >&2
		fi
	fi
	return $st
}



# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
	# delete possibly-existing route (preliminary to adding a route)
	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
	"0.0.0.0/0.0.0.0")
		# horrible kludge for obscure routing bug with opportunistic
		it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
			route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
		;;
	*)
		it="route del -net $PLUTO_PEER_CLIENT_NET \
					netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
		;;
	esac
	oops="`eval $it`"
	status="$?"
	if test " $oops" = " " -a " $status" != " 0"
	then
		oops="silent error, exit status $status"
	fi
	case "$oops" in
	'SIOCDELRT: No such process'*)
		# This is what route (currently -- not documented!) gives
		# for "could not find such a route".
		oops=
		status=0
		;;
	esac
	if test " $oops" != " " -o " $status" != " 0"
	then
		echo "$0: \`$it' failed ($oops)" >&2
	fi
	exit $status
	;;
route-host:*|route-client:*)
	# connection to me or my client subnet being routed
	uproute
	;;
unroute-host:*|unroute-client:*)
	# connection to me or my client subnet being unrouted
	downroute
	;;
up-host:*)
	# connection to me coming up
	# If you are doing a custom version, firewall commands go here.
	;;
down-host:*)
	# connection to me going down
	# If you are doing a custom version, firewall commands go here.
	;;
up-client:)
	# connection to my client subnet coming up
	# If you are doing a custom version, firewall commands go here.
	;;
down-client:)
	# connection to my client subnet going down
	# If you are doing a custom version, firewall commands go here.
	;;
up-client:ipfwadm)
	# connection to client subnet, with (left/right)firewall=yes, coming up
	# This is used only by the default updown script, not by your custom
	# ones, so do not mess with it; see CAUTION comment up at top.
	ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
	;;
down-client:ipfwadm)
	# connection to client subnet, with (left/right)firewall=yes, going down
	# This is used only by the default updown script, not by your custom
	# ones, so do not mess with it; see CAUTION comment up at top.
	ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
	;;
*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
	exit 1
	;;
esac