Subversion Repositories configs

Rev

Rev 6 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed 

#!/bin/sh
# IPsec startup and shutdown script
#
### BEGIN INIT INFO
# Provides: ipsec
# Required-Start: $network $remote_fs $syslog $named
# Required-Stop: $syslog $remote_fs
# Default-Start:
# Default-Stop: 0 1 6
# Short-Description: Start Libreswan IPsec at boot time
# Description: Enable automatic key management for IPsec (KLIPS and NETKEY)
### END INIT INFO
#
### see https://bugzilla.redhat.com/show_bug.cgi?id=636572
### Debian and Fedora interpret the LSB differently for Default-Start:

# Copyright (C) 1998, 1999, 2001  Henry Spencer.
# Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
# Copyright (C) 2006              Michael Richardson <mcr@xelerance.com>
# Copyright (C) 2008              Michael Richardson <mcr@sandelman.ca>
# Copyright (C) 2008-2014         Tuomo Soini <tis@foobar.fi>
# Copyright (C) 2012              Paul Wouters <paul@libreswan.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# ipsec         sysv style init.d script for starting and stopping
#               the IPsec security subsystem (KLIPS and Pluto).
#
# This script becomes /etc/rc.d/init.d/ipsec
# and is also accessible as "ipsec setup"
#
# The startup and shutdown times are a difficult compromise (in particular,
# it is almost impossible to reconcile them with the insanely early/late
# times of NFS filesystem startup/shutdown).  Startup is after startup of
# syslog and pcmcia support; shutdown is just before shutdown of syslog.
#
# chkconfig: - 47 76
# description: IPsec provides encrypted and authenticated communications; \
# NETKEY/KLIPS is the kernel half of it, Pluto is the user-level management daemon.

test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x

# Source function library.
. /etc/rc.d/init.d/functions

# Check that networking is up.
[ "${NETWORKING}" = "no" ] && exit 6

if [ ! -f /etc/sysconfig/network ]; then
    exit 6
fi

if [ $(id -u) -ne 0 ]; then
    echo "permission denied (must be superuser)" | \
        logger -s -p daemon.error -t ipsec_setup 2>&1
    exit 4
fi

if [ $(ip addr list | grep -c cipsec) -ne 0 ]; then
    echo "Cisco IPSec client is already loaded, aborting! (cipsec# device found)"
    exit 1
fi

# where the private directory and the config files are
IPSEC_CONF="${IPSEC_CONF:-/etc/ipsec.conf}"
IPSEC_EXECDIR="${IPSEC_EXECDIR:-/usr/libexec/ipsec}"
IPSEC_SBINDIR="${IPSEC_SBINDIR:-/usr/sbin}"
unset PLUTO_OPTIONS

rundir=/var/run/pluto
plutopid=${rundir}/pluto.pid
plutoctl=${rundir}/pluto.ctl
lockdir=/var/lock/subsys
lockfile=${lockdir}/ipsec
ipsecversion=/proc/net/ipsec_version
kamepfkey=/proc/net/pfkey

# /etc/resolv.conf related paths
LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup
ORIG_RESOLV_CONF=/etc/resolv.conf

# there is some confusion over the name - just do both
[ -f /etc/sysconfig/ipsec ] && . /etc/sysconfig/ipsec
[ -f /etc/sysconfig/pluto ] && . /etc/sysconfig/pluto

# misc setup
umask 022

# standardize PATH, and export it for everything else's benefit
PATH="${IPSEC_SBINDIR}:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin"
export PATH

mkdir -p ${rundir}
chmod 700 ${rundir}

verify_config() {
    [ -f ${IPSEC_CONF} ] || exit 6

    config_error=$(ipsec addconn --config ${IPSEC_CONF} --checkconfig 2>&1)
    RETVAL=$?
    if [ ${RETVAL} -gt 0 ]; then
        echo "Configuration error - the following error occured:"
        echo ${config_error}
        echo "IKE daemon status was not modified"
        exit ${RETVAL}
    fi
}

start() {
    echo -n $"Starting pluto IKE daemon for IPsec: "
    ipsec _stackmanager start

    # pluto searches the current directory, so this is required for making it selinux compliant
    cd /
    # This script will enter an endless loop to ensure pluto restarts on crash
    ipsec _plutorun --config ${IPSEC_CONF} --nofork ${PLUTO_OPTIONS} &
    [ -d ${lockdir} ] || mkdir -p ${lockdir}
    touch ${lockfile}
    # Because _plutorun starts pluto at background we need to make sure pluto is started
    # before we know if start was successful or not
    for waitsec in 1 2 3 4 5; do
        if status -p ${plutopid} -l ${lockfile} ${IPSEC_EXECDIR}/pluto >/dev/null; then
            RETVAL=0
            break
        else
            echo -n "."
            sleep 1
            RETVAL=1
        fi
    done
    if [ ${RETVAL} -eq 0 ]; then
        success
    else
        rm -f ${lockfile}
        failure
    fi
    echo
    return ${RETVAL}
}


stop() {
    if [ ! -e ${plutoctl} ]; then
        echo "Missing control file ${plutoctl} - is pluto running?"
    else
        echo $"Shutting down pluto IKE daemon"
        ipsec whack --shutdown
        # don't use seq, might not exist on embedded
        for waitsec in 1 2 3 4 5 6 7 8 9 10; do
            if [ -s ${plutopid} ]; then
                echo -n "."
                sleep 1
            else
                break
            fi
        done
        echo
        rm -f ${plutoctl} # we won't be using this anymore
    fi
    if [ -s ${plutopid} ]; then
        # pluto did not die peacefully
        echo "Attempt to shut Pluto down failed!  Trying kill"
        killproc -p ${plutopid} ${IPSEC_EXECDIR}/pluto
        RETVAL=$?
        [ ${RETVAL} -eq 0 ] && rm -f ${plutopid}
    fi

    ipsec _stackmanager stop

    # cleaning up backup resolv.conf
    if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then
        if grep 'Libreswan' ${ORIG_RESOLV_CONF} > /dev/null 2>&1; then
            cp ${LIBRESWAN_RESOLV_CONF} ${ORIG_RESOLV_CONF}
        fi
        rm -f  ${LIBRESWAN_RESOLV_CONF}
    fi

    rm -f ${lockfile}
    return ${RETVAL}
}

restart() {
    verify_config
    stop
    start
    return $?
}

condrestart() {
    if [ -f ${lockfile} ]; then
        restart
        return $?
    fi
}

version() {
    ipsec version
    return $?
}


# do it
case "$1" in
    start)
        start
        RETVAL=$?
        ;;
    stop)
        stop
        RETVAL=$?
        ;;
    restart)
        restart
        RETVAL=$?
        ;;
    reload|force-reload)
        restart
        RETVAL=$?
        ;;
    condrestart|try-restart)
        condrestart
        RETVAL=$?
        ;;
    status)
        status -p ${plutopid} -l ${lockfile} ${IPSEC_EXECDIR}/pluto
        RETVAL=$?
        ;;
    version)
        version
        RETVAL=$?
        ;;
    *)
        echo "Usage: $0 {start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}"
        RETVAL=2
esac

exit ${RETVAL}