3 # Copyright (C) 1998, 1999, 2001, 2002 Henry Spencer.
5 # This program is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU General Public License as published by the
7 # Free Software Foundation; either version 2 of the License, or (at your
8 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 # This program is distributed in the hope that it will be useful, but
11 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 # RCSID $Id: _startklips,v 1.6.2.1 2002/04/09 21:34:56 mcr Exp $
17 me='ipsec _startklips' # for messages
20 sysflags=/proc/sys/net/ipsec
22 # full rp_filter path is $rpfilter1/interface/$rpfilter2
23 rpfilter1=/proc/sys/net/ipv4/conf
25 ipsecversion=/proc/net/ipsec_version
26 modulesdir=/lib/modules/ipsec
27 moduleplace=/lib/modules/`uname -r`/kernel/net/ipsec
35 --log) log="$2" ; shift ;;
36 --info) info="$2" ; shift ;;
37 --debug) debug="$2" ; shift ;;
38 --omtu) omtu="$2" ; shift ;;
39 --fragicmp) fragicmp="$2" ; shift ;;
40 --hidetos) hidetos="$2" ; shift ;;
41 --default) packetdefault="$2" ; shift ;;
43 -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;;
51 # some shell functions, to clarify the actual code
53 # set up a system flag based on a variable
54 # sysflag value shortname default flagname
60 if test ! -f $sysflags/$4
62 if test " $v" != " $3"
64 echo "cannot do $2=$v, $sysflags/$4 does not exist"
67 return # can't set, but it's the default anyway
72 *) echo "unknown (not yes/no) $2 value \`$1'"
77 yes) echo 1 >$sysflags/$4 ;;
78 no) echo 0 >$sysflags/$4 ;;
82 # set up a Klips interface
84 # pull apart the interface spec
85 virt=`expr $1 : '\([^=]*\)=.*'`
86 phys=`expr $1 : '[^=]*=\(.*\)'`
89 *) echo "invalid interface \`$virt' in \`$1'" ; exit 1 ;;
92 # figure out ifconfig for interface
94 eval `ifconfig $phys |
95 awk '$1 == "inet" && $2 ~ /^addr:/ && $NF ~ /^Mask:/ {
100 print "type=broadcast"
101 else if ($4 == "P-t-P")
102 print "type=pointopoint"
108 print "otheraddr=" other
111 if test " $addr" = " "
113 echo "unable to determine address of \`$phys'"
116 if test " $type" = " unknown"
118 echo "\`$phys' is of an unknown type"
121 if test " $omtu" != " "
127 echo "KLIPS $virt on $phys $addr/$mask $type $otheraddr $mtu" | logonly
129 # attach the interface and bring it up
130 ipsec tncfg --attach --virtual $virt --physical $phys
131 ifconfig $virt inet $addr $type $otheraddr netmask $mask $mtu
133 # if %defaultroute, note the facts
137 echo "defaultroutephys=$phys"
138 echo "defaultroutevirt=$virt"
139 echo "defaultrouteaddr=$addr"
140 if test " $2" != " 0.0.0.0"
142 echo "defaultroutenexthop=$2"
146 echo '#dr: no default route' >>$info
149 # check for rp_filter trouble
150 checkif $phys # thought to be a problem only on phys
153 # check an interface for problems
155 rpf=$rpfilter1/$1/$rpfilter2
159 if test " $r" != " 0"
161 echo "WARNING: $1 has route filtering turned on, KLIPS may not work"
162 echo " ($rpf = \`$r', should be 0)"
167 # interfaces=%defaultroute: put ipsec0 on top of default route's interface
170 awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $NF }'`
171 if test " $phys" = " "
173 echo "no default route, %defaultroute cannot cope!!!"
176 if test `echo " $phys" | wc -l` -gt 1
178 echo "multiple default routes, %defaultroute cannot cope!!!"
182 awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $2 }'`
183 klipsinterface "ipsec0=$phys" $next
186 # log only to syslog, not to stdout/stderr
188 logger -p $log -t ipsec_setup
191 # sort out which module is appropriate, changing it if necessary
193 if test ! -d $modulesdir
195 return # nothing we can do anyway
197 wantgoo="`sed -n '/ netif_rx_R/s/.*_R//p' /proc/ksyms`"
198 module=$moduleplace/$modulename
201 goo="`nm -ug $module | sed -n '/ netif_rx_R/s/.*_//p'`"
202 if test " $wantgoo" = " $goo"
207 if test -f $modulesdir/$wantgoo
209 echo "KLIPS module needed changing (to $wantgoo)" | logonly
211 mkdir -p $moduleplace
212 cp -p $modulesdir/$wantgoo $module
213 # "depmod -a" gets done by caller
221 # load module if necessary
222 if test ! -f $ipsecversion
224 if test -r $modules # kernel does have modules
227 unset MODPATH MODULECONF # no user overrides!
228 depmod -a >/dev/null 2>&1 && modprobe ipsec
230 if test ! -f $ipsecversion
232 echo "kernel appears to lack KLIPS"
237 # figure out debugging flags
241 if test -r /proc/net/ipsec_klipsdebug
243 echo "KLIPS debug \`$debug'" | logonly
245 none) ipsec klipsdebug --none ;;
246 all) ipsec klipsdebug --all ;;
247 *) ipsec klipsdebug --none
250 ipsec klipsdebug --set $d
255 if test " $debug" != " none"
257 echo "klipsdebug=\`$debug' ignored, KLIPS lacks debug facilities"
261 # figure out misc. kernel config
264 sysflag "$fragicmp" "fragicmp" yes icmp
265 echo 1 >$sysflags/inbound_policy_check # no debate
266 sysflag no "no_eroute_pass" no no_eroute_pass # obsolete parm
267 sysflag no "opportunistic" no opportunistic # obsolete parm
268 sysflag "$hidetos" "hidetos" yes tos
270 echo "WARNING: cannot adjust KLIPS flags, no $sysflags directory!"
274 # clear tables out in case dregs have been left over
278 # figure out interfaces
282 ipsec*=?*) klipsinterface "$i" ;;
283 %defaultroute) defaultinterface ;;
284 *) echo "interface \`$i' not understood"
290 # set up default eroute if necessary
291 case "$packetdefault" in
293 ipsec eroute --label "packetdefault" --replace --eraf inet \
294 --src 0/0 --dst 0/0 --said "%$packetdefault"
297 *) echo "unknown packetdefault value \`$packetdefault'"