📄 manual.in
字号:
if ("leftupdown" in s) { cmd = s["leftupdown"] } else { cmd = "ipsec _updown" } print "PLUTO_VERB=" verb verbsuf " " cmd " " suffix } END { ######### if (failed) exit 1 set_os_default("type", "tunnel") type = s["type"] shunt = 0 if (type == "transport") { if ("leftsubnet" in s) fail("type=transport incompatible with leftsubnet") if ("rightsubnet" in s) fail("type=transport incompatible with rightsubnet") } else if (type == "passthrough") { shunt = 1; p = "%pass" } else if (type == "drop" || type == "reject") { shunt = 1; p = "%" type } else if (type != "tunnel") fail("only know how to do types tunnel/transport/passthrough") if (shunt) { if (("ah" in s) || ("esp" in s)) fail(type " connection may not specify AH or ESP") } else { if (!("ah" in s) && !("esp" in s)) fail("neither AH nor ESP specified for connection") } need("left") need("right") if (s["left"] == "%defaultroute") { if (s["right"] == "%defaultroute") fail("left and right cannot both be %defaultroute") if (draddr == "") fail("%defaultroute requested but not known") s["left"] = draddr nexthopset("left", drnexthop) } else if (s["right"] == "%defaultroute") { if (draddr == "") fail("%defaultroute requested but not known") s["right"] = draddr nexthopset("right", drnexthop) } leftsub = ("leftsubnet" in s) ? 1 : 0 set_os_default("leftsubnet", s["left"] "/32") rightsub = ("rightsubnet" in s) ? 1 : 0 set_os_default("rightsubnet", s["right"] "/32") integer("espreplay_window") if (("espreplay_window" in s) && s["espreplay_window"] == 0) delete s["espreplay_window"] integer("ahreplay_window") if (("ahreplay_window" in s) && s["ahreplay_window"] == 0) delete s["ahreplay_window"] netfix("left") netfix("right") set_os_default("leftnexthop", s["right"]) set_os_default("rightnexthop", s["left"]) if (s["leftnexthop"] == s["left"]) fail("left and leftnexthop must not be the same") if (s["rightnexthop"] == s["right"]) fail("right and rightnexthop must not be the same") bidir("espenckey") bidir("espauthkey") bidir("ahkey") if ("spi" in s && "spibase" in s) fail("cannot specify both spi and spibase") if (!shunt) { if ("spibase" in s) { b = s["spibase"] if (b !~ /^0x[0-9a-fA-F]+0$/) fail("bad syntax in spibase -- must be 0x...0") spibase = substr(b, 1, length(b)-1) } else { need("spi") if (s["spi"] !~ /^0x[0-9a-fA-F]+$/) fail("bad syntax in spi -- must be 0x...") } } spir = 0 spil = 1 # who am I? me = "" for (addr in interface) { if (addr == s["left"] || addr == s["right"]) { if (me != "") fail("ambiguous: could be on \"" iface \ "\" or \"" interface[addr] "\"") me = addr iface = interface[addr] } } if (me == "") fail("cannot find interface for " s["left"] " or " s["right"]) if (other) { if (s["left"] == me) me = s["right"] else if (s["right"] == me) me = s["left"] } havesubnet = leftsubnet if (s["right"] == me) { swap("") # swaps "left" and "right" swap("subnet") swap("nexthop") swap("net") swap("mask") swap("firewall") swap("espspi") swap("ahspi") swap("espenckey") swap("espauthkey") swap("ahkey") swap("updown") t = spil spil = spir spir = t havesubnet = rightsubnet } him = s["right"] if (s["leftnexthop"] == "%defaultroute") { if (drnexthop == "") fail("%defaultroute requested but not known") s["leftnexthop"] = drnexthop } tspi = rightward() if (type == "tunnel") { espi = rightward() intspi = leftward() } else espi = tspi if (s["rightespspi"] != "") espi = s["rightespspi"] respi = leftward() if (s["leftespspi"] != "") respi = s["leftespspi"] if ("ah" in s) { if ("esp" in s) { aspi = rightward() raspi = leftward() } else { aspi = espi raspi = respi } if (s["rightahspi"] != "") aspi = s["rightahspi"] if (s["leftahspi"] != "") raspi = s["leftahspi"] } routeid = "-net " s["rightnet"] " netmask " s["rightmask"] if (s["rightmask"] == "255.255.255.255") routeid = "-host " s["rightnet"] print "PATH=\"'"$PATH"'\"" print "export PATH" print "PLUTO_VERSION=1.1" verbsuf = (havesubnet) ? "-client" : "-host" print "PLUTO_CONNECTION=" q(names) print "PLUTO_NEXT_HOP=" s["leftnexthop"] print "PLUTO_INTERFACE=" iface print "PLUTO_ME=" me print "PLUTO_MY_CLIENT=" s["leftsubnet"] print "PLUTO_MY_CLIENT_NET=" s["leftnet"] print "PLUTO_MY_CLIENT_MASK=" s["leftmask"] print "PLUTO_PEER=" him print "PLUTO_PEER_CLIENT=" s["rightsubnet"] print "PLUTO_PEER_CLIENT_NET=" s["rightnet"] print "PLUTO_PEER_CLIENT_MASK=" s["rightmask"] print "export PLUTO_VERSION PLUTO_CONNECTION PLUTO_NEXT_HOP" print "export PLUTO_INTERFACE PLUTO_ME PLUTO_MY_CLIENT" print "export PLUTO_MY_CLIENT_NET PLUTO_MY_CLIENT_MASK PLUTO_PEER" print "export PLUTO_PEER_CLIENT PLUTO_PEER_CLIENT_NET" print "export PLUTO_PEER_CLIENT_MASK" if (op == "--up") { print "{" # first, the outbound SAs if (type == "tunnel") { print "ipsec spi --label", q(names), "--af inet", "--said", ("tun" tspi "@" him), "\\" print "\t--ip4", "--src", me, "--dst", him, "&&" } espspi(me, him, espi) ahspi(me, him, aspi) if (nrspi > 1) { # group them printf "ipsec spigrp --label %s --said ", q(names) if (type == "tunnel") printf "tun%s@%s ", tspi, him if (("esp" in s)) printf "esp%s@%s ", espi, him if ("ah" in s) printf "ah%s@%s ", aspi, him printf " &&\n" } # inbound SAs if (type == "tunnel") { print "ipsec spi --label", q(names), "--af inet", "--said", ("tun" intspi "@" me), "\\" print "\t--ip4", "--src", him, "--dst", me, "&&" } espspi(him, me, respi) ahspi(him, me, raspi) if (nlspi > 1) { # group them printf "ipsec spigrp --label %s --said ", q(names) if (type == "tunnel") printf "tun%s@%s ", intspi, me if (("esp" in s)) printf "esp%s@%s ", respi, me if ("ah" in s) printf "ah%s@%s ", raspi, me printf " &&\n" } # with the SAs in place, eroute to them print "ipsec eroute --label", q(names), "--eraf inet --replace", "\\" if (!shunt) { if (type == "tunnel") p = "tun" else if (("esp" in s)) p = "esp" else p = "ah" p = p tspi "@" him } print "\t--src", s["leftsubnet"], "--dst", s["rightsubnet"], "--said", p, "&&" # with the eroute in place, NOW we can route to it #print "{ route del", routeid, "2>/dev/null ; true ; } &&" updown("prepare", "&&") #print "route add", routeid, "dev", iface, "gw", # s["leftnexthop"], "&&" updown("route", "&&") # and with all processing in place, we can penetrate firewall #if (s["leftfirewall"] == "yes") { # print "ipfwadm -F -i accept -b -S", s["leftsubnet"], # "-D", s["rightsubnet"], "&&" #} updown("up", "&&") print "true" print "} || {" } else if (op == "--route") { #print "{ route del", routeid, "2>/dev/null ; true ; } &&" updown("prepare", "&&") #print "route add", routeid, "dev", iface, "gw", # s["leftnexthop"] updown("route") exit 0 } else if (op == "--unroute") { #print "route del", routeid, "dev", iface, "gw", # s["leftnexthop"] updown("unroute") exit 0 } else # down print "{" # now do "down", unconditionally, since the desired output for "up" # is { up && up && up && true } || { down ; down ; down } # tear things down in fairly strict reverse order #if (s["leftfirewall"] == "yes") # print "ipfwadm -F -d accept -b -S", s["leftsubnet"], # "-D", s["rightsubnet"] updown("down") #print "route del", routeid, "dev", iface, "gw", s["leftnexthop"] print "# do not delete route" print "ipsec eroute --label", q(names), "--eraf inet --del", "\\" print "\t--src", s["leftsubnet"], "--dst", s["rightsubnet"] #if ("ah" in s) { # print "ipsec spi --label", q(names), "--af inet", "--del", # "--said", ("ah" raspi "@" me) #} #if ("esp" in s) { # print "ipsec spi --label", q(names), "--af inet", "--del", # "--said", ("esp" respi "@" me) #} if (!shunt) { if (type == "tunnel") p = "tun" else if (("esp" in s)) p = "esp" else p = "ah" print "ipsec spi --label", q(names), "--af inet", "--del", "--said", (p tspi "@" him), " # outbound" print "ipsec spi --label", q(names), "--af inet", "--del", "--said", (p intspi "@" me), " # inbound" } if (op == "--up") print "} 2>/dev/null" else print "}" ######### }' |if test $showonlythen catelse sh $shoptsfi⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -