314 lines
12 KiB
Perl
314 lines
12 KiB
Perl
#!/usr/bin/perl -w
|
|
#----------------------------------------------------------------------
|
|
# Ipsec actions
|
|
# Copyright (C) 2015 John Crisp
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License or more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
#----------------------------------------------------------------------
|
|
|
|
# Note that we do not need to use the init ipsec script - we can start and
|
|
# stop directly using /usr/sbin/ipsec which will call the init script
|
|
|
|
# Probably ought to check somewhere that the status of services is public
|
|
# But if it is private then you have to re-expand masq someplace
|
|
|
|
use strict;
|
|
use warnings;
|
|
use esmith::ConfigDB;
|
|
|
|
my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
|
|
my $ipsecDB = esmith::ConfigDB->open('ipsec_connections')
|
|
or die("Ipsec Error - cant connect to ipsec database");
|
|
|
|
my $ipsecDBkey = 'ipsec';
|
|
my $xl2tpdDBkey = 'xl2tpd';
|
|
my $xl2tpdipsecprop = "L2TPD-PSK";
|
|
|
|
# Check on access status - we'll use this later
|
|
# If status goes to disabled we should set this private
|
|
|
|
my $ipsec_access = $configDB->get_prop( $ipsecDBkey, 'access' ) || 'private';
|
|
print "Ipsec Information - IpsecAccessState: $ipsec_access\n";
|
|
|
|
# If the service is set disabled then make sure it is stopped
|
|
# Note that ipsec is not a service so we cannot use the normal service commands
|
|
|
|
if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'disabled' ) {
|
|
|
|
# Always reset redirects on stop
|
|
print "Ipsec Information - reset redirects";
|
|
resetRedirects();
|
|
|
|
# Sort out xl2tpd - if ipsec is disabled it has to be stopped
|
|
|
|
print "Xl2tpd Information - ipsec is disabled - Stopping xl2tpd \n";
|
|
my $myStopXl2tpd = qx(/etc/rc.d/init.d/xl2tpd stop) || die("xl2tpd Error - Unable to launch xl2tpd stop : $!\n");
|
|
|
|
if ( not defined $myStopXl2tpd ) {
|
|
die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
|
|
}
|
|
|
|
# Do we check if it is already stopped ?
|
|
# For now we stop it regardless
|
|
|
|
print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
|
|
my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop) || die("Ipsec Error - Unable to launch ipsec stop : $!\n");
|
|
|
|
if ( not defined $myStopConnection ) {
|
|
die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
|
|
}
|
|
|
|
exit 0;
|
|
}
|
|
|
|
# If the ipsec service is set to enabled AND running (then check the connections)
|
|
|
|
if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'enabled' ) {
|
|
|
|
# Sort out xl2tpd - if ipsec is enabled, AND xl2tpd then see if it is started
|
|
my $xl2tpdstatus = $configDB->get_prop( $xl2tpdDBkey, 'status' ) || 'disabled';
|
|
|
|
if ( $xl2tpdstatus eq 'enabled' ) {
|
|
my $xl2tpdService = (`ps ax | grep -v grep | grep xl2tpd`);
|
|
|
|
#If the service is not running then start it
|
|
unless ( $xl2tpdService =~ m/xl2tpd/ ) {
|
|
|
|
print "Xl2tpd Information - xl2tpd enabled but stopped - restarting xl2tpd \n";
|
|
my $myStartXl2tpd = qx(/etc/rc.d/init.d/xl2tpd restart)
|
|
|| die("xl2tpd Error - Unable to launch xl2tpd restart : $!\n");
|
|
|
|
if ( not defined $myStartXl2tpd ) {
|
|
die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
my $status = (`ps ax | grep -v grep | grep pluto`);
|
|
|
|
# If the ipsec service is running
|
|
if ( $status =~ m/_plutorun/ ) {
|
|
|
|
# Lets do some stuff
|
|
print "Ipsec Information - ipsec is running !\n";
|
|
|
|
# make sure reDirects are right
|
|
setRedirects();
|
|
|
|
# Load the connections
|
|
my @connections = $ipsecDB->keys;
|
|
|
|
foreach my $ipsecprop (@connections) {
|
|
|
|
#Check the individual connection status
|
|
my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' )
|
|
|| "disabled";
|
|
|
|
# What type of connection are we ?
|
|
my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
|
|
|
|
# Lets check the last state and if it doesn't exist set it disabled
|
|
if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
|
|
my $previpsecstatus = "disabled";
|
|
$ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
|
|
}
|
|
|
|
# Now we should have it
|
|
my $previpsecstatus = $ipsecDB->get_prop( $ipsecprop, 'PreviousState' );
|
|
|
|
print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
|
|
|
|
# Lets reread secrets anyway
|
|
print "Ipsec Information - Restart - ReReading Secrets\n";
|
|
my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
|
|
|
|
die("Ipsec Error - Unable launch ipsec reread secrets : $!\n")
|
|
if not defined $reread;
|
|
die("Ipsec Error - Unable to reread ipsec secrets ( error code $?)\n")
|
|
if $?;
|
|
|
|
# If we are enabled
|
|
if ( ( $previpsecstatus eq "enabled" )
|
|
&& ( $ipsecstatus eq "enabled" ) ) {
|
|
|
|
# Restart
|
|
print "Ipsec Information - Restarting connection - $ipsecprop\n";
|
|
|
|
# Have to use system here as replace usually returns 1280
|
|
# Replace just rereads the config and does --delete --add
|
|
system("/usr/sbin/ipsec auto --replace $ipsecprop");
|
|
print "Ipsec Information - Restart system - replace return code: $?\n";
|
|
|
|
# If connection = start then bring it up
|
|
if ( $connection eq 'start' ) {
|
|
print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
|
|
|
|
# If it is start rather than add we try and force it to come up
|
|
startConnection($ipsecprop);
|
|
print "Ipsec Information - En - En auto --up\n";
|
|
print "Ipsec Information - Restart system - up return code: $?\n";
|
|
}
|
|
|
|
# Set Previous status
|
|
changeState( $ipsecprop, $ipsecstatus );
|
|
|
|
}
|
|
|
|
# If status is disabled then stop it
|
|
elsif (( $previpsecstatus eq "disabled" )
|
|
&& ( $ipsecstatus eq "disabled" ) ) {
|
|
|
|
# Stop
|
|
print "Ipsec Information - Stop connection - $ipsecprop\n";
|
|
stopConnection($ipsecprop);
|
|
|
|
# Set Previous status
|
|
changeState( $ipsecDBkey, $ipsecstatus );
|
|
}
|
|
|
|
# If status was disabled and now enabled then start it
|
|
elsif (( $previpsecstatus eq "disabled" )
|
|
&& ( $ipsecstatus eq "enabled" ) ) {
|
|
|
|
# Start
|
|
print "Enabling connection $ipsecprop\n";
|
|
|
|
# Have to use system here as replace usually returns 1280 and not 0
|
|
system("/usr/sbin/ipsec auto --replace $ipsecprop");
|
|
print "Ipsec Information - Restart system - return code: $?\n";
|
|
|
|
if ( $connection eq 'start' ) {
|
|
|
|
# Have to use exec here as system waits for a return and if the connection
|
|
# does not come up it will just hang. So fire 'n forget
|
|
print "Ipsec Information - Dis- En - - Auto --async --up $ipsecprop\n";
|
|
|
|
startConnection($ipsecprop);
|
|
print "Ipsec Information - Dis - En auto --up\n";
|
|
print "Ipsec Information - Restart system - up return code: $?\n";
|
|
|
|
#or die "exec failed!";
|
|
}
|
|
|
|
# Set Previous status
|
|
changeState( $ipsecprop, $ipsecstatus );
|
|
}
|
|
|
|
# If status was enabled and now disabled then stop it
|
|
elsif (( $previpsecstatus eq "enabled" )
|
|
&& ( $ipsecstatus eq "disabled" ) ) {
|
|
|
|
# Stop and remove - do we need to ?
|
|
print "Ipsec Information - Stopping connection $ipsecprop\n ";
|
|
stopConnection($ipsecprop);
|
|
|
|
# Set Previous status
|
|
changeState( $ipsecprop, $ipsecstatus );
|
|
}
|
|
|
|
# Should never be here as it means the statuses are other than enabled or disabled
|
|
else {
|
|
print "Ipsec Error - Something went wrong with ipsec connection status\n";
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
# If it isn't running then start it up
|
|
# Auto connections start themselves. Added connections wait
|
|
else {
|
|
print "Ipsec Information - Disable Reverse Path Filtering\n";
|
|
setRedirects();
|
|
|
|
# Make sure access = public
|
|
unless ( $ipsec_access eq 'public' ) {
|
|
$configDB->set_prop( $ipsecDBkey, 'access', 'public' );
|
|
}
|
|
|
|
print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
|
|
my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
|
|
die("Ipsec Error - Unable to launch ipsec start : $!\n ")
|
|
if not defined $myStartConnection;
|
|
die("Ipsec Error - Unable to launch ipsec start ( error code $?)\n ") if $?;
|
|
|
|
exit 0;
|
|
}
|
|
|
|
exit 0;
|
|
|
|
}
|
|
|
|
#### Subroutines here
|
|
|
|
sub changeState {
|
|
|
|
#@_ contains $ipsecDBkey and $ipsecstatus
|
|
$ipsecDB->set_prop( $_[0], 'PreviousState', $_[1] );
|
|
}
|
|
|
|
sub startConnection {
|
|
system("/usr/sbin/ipsec auto --asynchronous --up $_[0]");
|
|
}
|
|
|
|
sub stopConnection {
|
|
print "Ipsec Information - SubRoutine - stop connection $_[0]\n ";
|
|
system("/usr/sbin/ipsec auto --down $_[0]");
|
|
print "Ipsec Information - system down code: $?\n";
|
|
system("/usr/sbin/ipsec auto --delete $_[0]");
|
|
print "Ipsec Information - system delete code: $?\n";
|
|
}
|
|
|
|
sub setRedirects {
|
|
|
|
my $internalIf = $configDB->get_prop( 'InternalInterface', 'Name' );
|
|
my $externalIf = $configDB->get_prop( 'ExternalInterface', 'Name' );
|
|
|
|
# Big warning - this is a potential security issue
|
|
# Make sure you read and understand what happens !
|
|
# If I knew which specific interfaces to change we could reduce the lines here
|
|
system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
|
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
|
system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
|
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
|
|
|
system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
|
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
|
system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
|
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
|
|
|
system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0
|
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
|
system("/sbin/sysctl -w net.ipv4.conf.all.rp_filter=0") == 0
|
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
|
system("/sbin/sysctl -w net.ipv4.conf.$externalIf.rp_filter=0") == 0
|
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
|
system("/sbin/sysctl -w net.ipv4.conf.$internalIf.rp_filter=0") == 0
|
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
|
|
|
|
|
}
|
|
|
|
sub resetRedirects {
|
|
|
|
# /etc/syctl.conf is expanded on ipsec-update
|
|
# This should reload the file - if ipsec is disabled it should reset to defaults
|
|
# If ipsec is enabled it should disable rp_filtering
|
|
system("/sbin/sysctl -p") == 0
|
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
|
}
|
|
|