mirror of
git://projects.qi-hardware.com/openwrt-xburst.git
synced 2024-12-13 15:30:37 +02:00
424d05490f
git-svn-id: svn://svn.openwrt.org/openwrt/trunk/openwrt@3535 3c298f89-4303-0410-b956-a3cf2f4a3e73
625 lines
18 KiB
Diff
625 lines
18 KiB
Diff
diff -Nur openswan-2.4.5rc5/programs/loggerfix openswan-2.4.5rc5.patched/programs/loggerfix
|
|
--- openswan-2.4.5rc5/programs/loggerfix 1970-01-01 01:00:00.000000000 +0100
|
|
+++ openswan-2.4.5rc5.patched/programs/loggerfix 2006-03-29 01:20:44.000000000 +0200
|
|
@@ -0,0 +1,5 @@
|
|
+#!/bin/sh
|
|
+# use filename instead of /dev/null to log, but dont log to flash or ram
|
|
+# pref. log to nfs mount
|
|
+echo "$*" >> /dev/null
|
|
+exit 0
|
|
diff -Nur openswan-2.4.5rc5/programs/look/look.in openswan-2.4.5rc5.patched/programs/look/look.in
|
|
--- openswan-2.4.5rc5/programs/look/look.in 2005-08-18 16:10:09.000000000 +0200
|
|
+++ openswan-2.4.5rc5.patched/programs/look/look.in 2006-03-29 01:20:44.000000000 +0200
|
|
@@ -84,7 +84,7 @@
|
|
then
|
|
pat="$pat|$defaultroutephys\$|$defaultroutevirt\$"
|
|
else
|
|
- for i in `echo "$IPSECinterfaces" | sed 's/=/ /'`
|
|
+ for i in `echo "$IPSECinterfaces" | tr '=' ' '`
|
|
do
|
|
pat="$pat|$i\$"
|
|
done
|
|
diff -Nur openswan-2.4.5rc5/programs/manual/manual.in openswan-2.4.5rc5.patched/programs/manual/manual.in
|
|
--- openswan-2.4.5rc5/programs/manual/manual.in 2005-11-18 06:18:33.000000000 +0100
|
|
+++ openswan-2.4.5rc5.patched/programs/manual/manual.in 2006-03-29 01:20:44.000000000 +0200
|
|
@@ -104,7 +104,7 @@
|
|
sub(/:/, " ", $0)
|
|
if (interf != "")
|
|
print $3 "@" interf
|
|
- }' | sed ':a;N;$!ba;s/\n/ /g'`"
|
|
+ }' | tr '\n' ' '`"
|
|
;;
|
|
esac
|
|
|
|
diff -Nur openswan-2.4.5rc5/programs/_plutorun/_plutorun.in openswan-2.4.5rc5.patched/programs/_plutorun/_plutorun.in
|
|
--- openswan-2.4.5rc5/programs/_plutorun/_plutorun.in 2006-01-06 00:45:00.000000000 +0100
|
|
+++ openswan-2.4.5rc5.patched/programs/_plutorun/_plutorun.in 2006-03-29 01:20:44.000000000 +0200
|
|
@@ -147,7 +147,7 @@
|
|
exit 1
|
|
fi
|
|
else
|
|
- if test ! -w "`dirname $stderrlog`"
|
|
+ if test ! -w "`echo $stderrlog | sed -r 's/(^.*\/)(.*$)/\1/'`"
|
|
then
|
|
echo Cannot write to directory to create \"$stderrlog\".
|
|
exit 1
|
|
diff -Nur openswan-2.4.5rc5/programs/_realsetup/_realsetup.in openswan-2.4.5rc5.patched/programs/_realsetup/_realsetup.in
|
|
--- openswan-2.4.5rc5/programs/_realsetup/_realsetup.in 2005-07-28 02:23:48.000000000 +0200
|
|
+++ openswan-2.4.5rc5.patched/programs/_realsetup/_realsetup.in 2006-03-29 01:20:44.000000000 +0200
|
|
@@ -235,7 +235,7 @@
|
|
|
|
# misc pre-Pluto setup
|
|
|
|
- perform test -d `dirname $subsyslock` "&&" touch $subsyslock
|
|
+ perform test -d `echo $subsyslock | sed -r 's/(^.*\/)(.*$)/\1/'` "&&" touch $subsyslock
|
|
|
|
if test " $IPSECforwardcontrol" = " yes"
|
|
then
|
|
@@ -347,7 +347,7 @@
|
|
lsmod 2>&1 | grep "^xfrm_user" > /dev/null && rmmod -s xfrm_user
|
|
fi
|
|
|
|
- perform test -d `dirname $subsyslock` "&&" rm -f $subsyslock
|
|
+ perform test -d `echo $subsyslock | sed -r 's/(^.*\/)(.*$)/\1/'` "&&" touch $subsyslock "&&" rm -f $subsyslock
|
|
|
|
perform rm -f $info $lock $plutopid
|
|
perform echo "...Openswan IPsec stopped" "|" $LOGONLY
|
|
diff -Nur openswan-2.4.5rc5/programs/send-pr/send-pr.in openswan-2.4.5rc5.patched/programs/send-pr/send-pr.in
|
|
--- openswan-2.4.5rc5/programs/send-pr/send-pr.in 2005-04-18 01:04:46.000000000 +0200
|
|
+++ openswan-2.4.5rc5.patched/programs/send-pr/send-pr.in 2006-03-29 01:20:44.000000000 +0200
|
|
@@ -402,7 +402,7 @@
|
|
else
|
|
if [ "$fieldname" != "Category" ]
|
|
then
|
|
- values=`${BINDIR}/query-pr --valid-values $fieldname | sed ':a;N;$!ba;s/\n/ /g' | sed 's/ *$//g;s/ / | /g;s/^/[ /;s/$/ ]/;'`
|
|
+ values=`${BINDIR}/query-pr --valid-values $fieldname | tr '\n' ' ' | sed 's/ *$//g;s/ / | /g;s/^/[ /;s/$/ ]/;'`
|
|
valslen=`echo "$values" | wc -c`
|
|
else
|
|
values="choose from a category listed above"
|
|
@@ -414,7 +414,7 @@
|
|
else
|
|
desc="<${values} (one line)>";
|
|
fi
|
|
- dpat=`echo "$desc" | sed 's/[][*+^$|\()&/]/./g'`
|
|
+ dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'`
|
|
echo "/^>${fieldname}:/ s/${dpat}//" >> $FIXFIL
|
|
fi
|
|
echo "${fmtname}${desc}" >> $file
|
|
@@ -425,7 +425,7 @@
|
|
desc=" $default_val";
|
|
else
|
|
desc=" <`${BINDIR}/query-pr --field-description $fieldname` (multiple lines)>";
|
|
- dpat=`echo "$desc" | sed 's/[][*+^$|\()&/]/./g'`
|
|
+ dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'`
|
|
echo "s/^${dpat}//" >> $FIXFIL
|
|
fi
|
|
echo "${fmtname}" >> $file;
|
|
@@ -437,7 +437,7 @@
|
|
desc="${default_val}"
|
|
else
|
|
desc="<`${BINDIR}/query-pr --field-description $fieldname` (one line)>"
|
|
- dpat=`echo "$desc" | sed 's/[][*+^$|\()&/]/./g'`
|
|
+ dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'`
|
|
echo "/^>${fieldname}:/ s/${dpat}//" >> $FIXFIL
|
|
fi
|
|
echo "${fmtname}${desc}" >> $file
|
|
diff -Nur openswan-2.4.5rc5/programs/setup/setup.in openswan-2.4.5rc5.patched/programs/setup/setup.in
|
|
--- openswan-2.4.5rc5/programs/setup/setup.in 2005-07-25 21:17:03.000000000 +0200
|
|
+++ openswan-2.4.5rc5.patched/programs/setup/setup.in 2006-03-29 01:20:44.000000000 +0200
|
|
@@ -117,12 +117,22 @@
|
|
# do it
|
|
case "$1" in
|
|
start|--start|stop|--stop|_autostop|_autostart)
|
|
- if test " `id -u`" != " 0"
|
|
+ if [ "x${USER}" != "xroot" ]
|
|
then
|
|
echo "permission denied (must be superuser)" |
|
|
logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
|
|
exit 1
|
|
fi
|
|
+
|
|
+ # make sure all required directories exist
|
|
+ if [ ! -d /var/run/pluto ]
|
|
+ then
|
|
+ mkdir -p /var/run/pluto
|
|
+ fi
|
|
+ if [ ! -d /var/lock/subsys ]
|
|
+ then
|
|
+ mkdir -p /var/lock/subsys
|
|
+ fi
|
|
tmp=/var/run/pluto/ipsec_setup.st
|
|
outtmp=/var/run/pluto/ipsec_setup.out
|
|
(
|
|
diff -Nur openswan-2.4.5rc5/programs/showhostkey/showhostkey.in openswan-2.4.5rc5.patched/programs/showhostkey/showhostkey.in
|
|
--- openswan-2.4.5rc5/programs/showhostkey/showhostkey.in 2004-11-14 14:40:41.000000000 +0100
|
|
+++ openswan-2.4.5rc5.patched/programs/showhostkey/showhostkey.in 2006-03-29 01:20:44.000000000 +0200
|
|
@@ -63,7 +63,7 @@
|
|
exit 1
|
|
fi
|
|
|
|
-host="`hostname --fqdn`"
|
|
+host="`cat /proc/sys/kernel/hostname`"
|
|
|
|
awk ' BEGIN {
|
|
inkey = 0
|
|
diff -Nur openswan-2.4.5rc5/programs/_startklips/_startklips.in openswan-2.4.5rc5.patched/programs/_startklips/_startklips.in
|
|
--- openswan-2.4.5rc5/programs/_startklips/_startklips.in 2005-11-25 00:08:05.000000000 +0100
|
|
+++ openswan-2.4.5rc5.patched/programs/_startklips/_startklips.in 2006-03-29 01:23:54.000000000 +0200
|
|
@@ -262,15 +262,15 @@
|
|
echo "FATAL ERROR: Both KLIPS and NETKEY IPsec code is present in kernel"
|
|
exit
|
|
fi
|
|
-if test ! -f $ipsecversion && test ! -f $netkey && modprobe -qn ipsec
|
|
+if test ! -f $ipsecversion && test ! -f $netkey && insmod ipsec
|
|
then
|
|
# statically compiled KLIPS/NETKEY not found; try to load the module
|
|
- modprobe ipsec
|
|
+ insmod ipsec
|
|
fi
|
|
|
|
if test ! -f $ipsecversion && test ! -f $netkey
|
|
then
|
|
- modprobe -v af_key
|
|
+ insmod -v af_key
|
|
fi
|
|
|
|
if test -f $netkey
|
|
@@ -278,21 +278,21 @@
|
|
klips=false
|
|
if test -f $modules
|
|
then
|
|
- modprobe -qv ah4
|
|
- modprobe -qv esp4
|
|
- modprobe -qv ipcomp
|
|
+ insmod -qv ah4
|
|
+ insmod -qv esp4
|
|
+ insmod -qv ipcomp
|
|
# xfrm4_tunnel is needed by ipip and ipcomp
|
|
- modprobe -qv xfrm4_tunnel
|
|
+ insmod -qv xfrm4_tunnel
|
|
# xfrm_user contains netlink support for IPsec
|
|
- modprobe -qv xfrm_user
|
|
- modprobe -qv hw_random
|
|
+ insmod -qv xfrm_user
|
|
+ insmod -qv hw_random
|
|
# padlock must load before aes module
|
|
- modprobe -qv padlock
|
|
+ insmod -qv padlock
|
|
# load the most common ciphers/algo's
|
|
- modprobe -qv sha1
|
|
- modprobe -qv md5
|
|
- modprobe -qv des
|
|
- modprobe -qv aes
|
|
+ insmod -qv sha1
|
|
+ insmod -qv md5
|
|
+ insmod -qv des
|
|
+ insmod -qv aes
|
|
fi
|
|
fi
|
|
|
|
@@ -308,10 +308,10 @@
|
|
fi
|
|
unset MODPATH MODULECONF # no user overrides!
|
|
depmod -a >/dev/null 2>&1
|
|
- modprobe -qv hw_random
|
|
+ insmod -qv hw_random
|
|
# padlock must load before aes module
|
|
- modprobe -qv padlock
|
|
- modprobe -v ipsec
|
|
+ insmod -qv padlock
|
|
+ insmod -v ipsec
|
|
fi
|
|
if test ! -f $ipsecversion
|
|
then
|
|
diff -Nur openswan-2.4.5rc5/programs/_startklips/_startklips.in.orig openswan-2.4.5rc5.patched/programs/_startklips/_startklips.in.orig
|
|
--- openswan-2.4.5rc5/programs/_startklips/_startklips.in.orig 1970-01-01 01:00:00.000000000 +0100
|
|
+++ openswan-2.4.5rc5.patched/programs/_startklips/_startklips.in.orig 2005-11-25 00:08:05.000000000 +0100
|
|
@@ -0,0 +1,407 @@
|
|
+#!/bin/sh
|
|
+# KLIPS startup script
|
|
+# Copyright (C) 1998, 1999, 2001, 2002 Henry Spencer.
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or modify it
|
|
+# under the terms of the GNU General Public License as published by the
|
|
+# Free Software Foundation; either version 2 of the License, or (at your
|
|
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful, but
|
|
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
+# for more details.
|
|
+#
|
|
+# RCSID $Id$
|
|
+
|
|
+me='ipsec _startklips' # for messages
|
|
+
|
|
+# KLIPS-related paths
|
|
+sysflags=/proc/sys/net/ipsec
|
|
+modules=/proc/modules
|
|
+# full rp_filter path is $rpfilter1/interface/$rpfilter2
|
|
+rpfilter1=/proc/sys/net/ipv4/conf
|
|
+rpfilter2=rp_filter
|
|
+# %unchanged or setting (0, 1, or 2)
|
|
+rpfiltercontrol=0
|
|
+ipsecversion=/proc/net/ipsec_version
|
|
+moduleplace=/lib/modules/`uname -r`/kernel/net/ipsec
|
|
+bareversion=`uname -r | sed -e 's/\.nptl//' | sed -e 's/^\(2\.[0-9]\.[1-9][0-9]*-[1-9][0-9]*\(\.[0-9][0-9]*\)*\(\.x\)*\).*$/\1/'`
|
|
+moduleinstplace=/lib/modules/$bareversion/kernel/net/ipsec
|
|
+case $bareversion in
|
|
+ 2.6*)
|
|
+ modulename=ipsec.ko
|
|
+ ;;
|
|
+ *)
|
|
+ modulename=ipsec.o
|
|
+ ;;
|
|
+esac
|
|
+
|
|
+klips=true
|
|
+netkey=/proc/net/pfkey
|
|
+
|
|
+info=/dev/null
|
|
+log=daemon.error
|
|
+for dummy
|
|
+do
|
|
+ case "$1" in
|
|
+ --log) log="$2" ; shift ;;
|
|
+ --info) info="$2" ; shift ;;
|
|
+ --debug) debug="$2" ; shift ;;
|
|
+ --omtu) omtu="$2" ; shift ;;
|
|
+ --fragicmp) fragicmp="$2" ; shift ;;
|
|
+ --hidetos) hidetos="$2" ; shift ;;
|
|
+ --rpfilter) rpfiltercontrol="$2" ; shift ;;
|
|
+ --) shift ; break ;;
|
|
+ -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;;
|
|
+ *) break ;;
|
|
+ esac
|
|
+ shift
|
|
+done
|
|
+
|
|
+
|
|
+
|
|
+# some shell functions, to clarify the actual code
|
|
+
|
|
+# set up a system flag based on a variable
|
|
+# sysflag value shortname default flagname
|
|
+sysflag() {
|
|
+ case "$1" in
|
|
+ '') v="$3" ;;
|
|
+ *) v="$1" ;;
|
|
+ esac
|
|
+ if test ! -f $sysflags/$4
|
|
+ then
|
|
+ if test " $v" != " $3"
|
|
+ then
|
|
+ echo "cannot do $2=$v, $sysflags/$4 does not exist"
|
|
+ exit 1
|
|
+ else
|
|
+ return # can't set, but it's the default anyway
|
|
+ fi
|
|
+ fi
|
|
+ case "$v" in
|
|
+ yes|no) ;;
|
|
+ *) echo "unknown (not yes/no) $2 value \`$1'"
|
|
+ exit 1
|
|
+ ;;
|
|
+ esac
|
|
+ case "$v" in
|
|
+ yes) echo 1 >$sysflags/$4 ;;
|
|
+ no) echo 0 >$sysflags/$4 ;;
|
|
+ esac
|
|
+}
|
|
+
|
|
+# set up a Klips interface
|
|
+klipsinterface() {
|
|
+ # pull apart the interface spec
|
|
+ virt=`expr $1 : '\([^=]*\)=.*'`
|
|
+ phys=`expr $1 : '[^=]*=\(.*\)'`
|
|
+ case "$virt" in
|
|
+ ipsec[0-9]) ;;
|
|
+ *) echo "invalid interface \`$virt' in \`$1'" ; exit 1 ;;
|
|
+ esac
|
|
+
|
|
+ # figure out ifconfig for interface
|
|
+ addr=
|
|
+ eval `ifconfig $phys |
|
|
+ awk '$1 == "inet" && $2 ~ /^addr:/ && $NF ~ /^Mask:/ {
|
|
+ gsub(/:/, " ", $0)
|
|
+ print "addr=" $3
|
|
+ other = $5
|
|
+ if ($4 == "Bcast")
|
|
+ print "type=broadcast"
|
|
+ else if ($4 == "P-t-P")
|
|
+ print "type=pointopoint"
|
|
+ else if (NF == 5) {
|
|
+ print "type="
|
|
+ other = ""
|
|
+ } else
|
|
+ print "type=unknown"
|
|
+ print "otheraddr=" other
|
|
+ print "mask=" $NF
|
|
+ }'`
|
|
+ if test " $addr" = " "
|
|
+ then
|
|
+ echo "unable to determine address of \`$phys'"
|
|
+ exit 1
|
|
+ fi
|
|
+ if test " $type" = " unknown"
|
|
+ then
|
|
+ echo "\`$phys' is of an unknown type"
|
|
+ exit 1
|
|
+ fi
|
|
+ if test " $omtu" != " "
|
|
+ then
|
|
+ mtu="mtu $omtu"
|
|
+ else
|
|
+ mtu=
|
|
+ fi
|
|
+ echo "KLIPS $virt on $phys $addr/$mask $type $otheraddr $mtu" | logonly
|
|
+
|
|
+ if $klips
|
|
+ then
|
|
+ # attach the interface and bring it up
|
|
+ ipsec tncfg --attach --virtual $virt --physical $phys
|
|
+ ifconfig $virt inet $addr $type $otheraddr netmask $mask $mtu
|
|
+ fi
|
|
+
|
|
+ # if %defaultroute, note the facts
|
|
+ if test " $2" != " "
|
|
+ then
|
|
+ (
|
|
+ echo "defaultroutephys=$phys"
|
|
+ echo "defaultroutevirt=$virt"
|
|
+ echo "defaultrouteaddr=$addr"
|
|
+ if test " $2" != " 0.0.0.0"
|
|
+ then
|
|
+ echo "defaultroutenexthop=$2"
|
|
+ fi
|
|
+ ) >>$info
|
|
+ else
|
|
+ echo '#dr: no default route' >>$info
|
|
+ fi
|
|
+
|
|
+ # check for rp_filter trouble
|
|
+ checkif $phys # thought to be a problem only on phys
|
|
+}
|
|
+
|
|
+# check an interface for problems
|
|
+checkif() {
|
|
+ $klips || return 0
|
|
+ rpf=$rpfilter1/$1/$rpfilter2
|
|
+ if test -f $rpf
|
|
+ then
|
|
+ r="`cat $rpf`"
|
|
+ if test " $r" != " 0"
|
|
+ then
|
|
+ case "$r-$rpfiltercontrol" in
|
|
+ 0-%unchanged|0-0|1-1|2-2)
|
|
+ # happy state
|
|
+ ;;
|
|
+ *-%unchanged)
|
|
+ echo "WARNING: $1 has route filtering turned on; KLIPS may not work ($rpf is $r)"
|
|
+ ;;
|
|
+ [012]-[012])
|
|
+ echo "WARNING: changing route filtering on $1 (changing $rpf from $r to $rpfiltercontrol)"
|
|
+ echo "$rpfiltercontrol" >$rpf
|
|
+ ;;
|
|
+ [012]-*)
|
|
+ echo "ERROR: unknown rpfilter setting: $rpfiltercontrol"
|
|
+ ;;
|
|
+ *)
|
|
+ echo "ERROR: unknown $rpf value $r"
|
|
+ ;;
|
|
+ esac
|
|
+ fi
|
|
+ fi
|
|
+}
|
|
+
|
|
+# interfaces=%defaultroute: put ipsec0 on top of default route's interface
|
|
+defaultinterface() {
|
|
+ phys=`netstat -nr |
|
|
+ awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $NF }'`
|
|
+ if test " $phys" = " "
|
|
+ then
|
|
+ echo "no default route, %defaultroute cannot cope!!!"
|
|
+ exit 1
|
|
+ fi
|
|
+ if test `echo " $phys" | wc -l` -gt 1
|
|
+ then
|
|
+ echo "multiple default routes, %defaultroute cannot cope!!!"
|
|
+ exit 1
|
|
+ fi
|
|
+ next=`netstat -nr |
|
|
+ awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $2 }'`
|
|
+ klipsinterface "ipsec0=$phys" $next
|
|
+}
|
|
+
|
|
+# log only to syslog, not to stdout/stderr
|
|
+logonly() {
|
|
+ logger -p $log -t ipsec_setup
|
|
+}
|
|
+
|
|
+# sort out which module is appropriate, changing it if necessary
|
|
+setmodule() {
|
|
+ if [ -e /proc/kallsyms ]
|
|
+ then
|
|
+ kernelsymbols="/proc/kallsyms";
|
|
+ echo "calcgoo: warning: 2.6 kernel with kallsyms not supported yet"
|
|
+ else
|
|
+ kernelsymbols="/proc/ksyms";
|
|
+ fi
|
|
+ wantgoo="`ipsec calcgoo $kernelsymbols`"
|
|
+ module=$moduleplace/$modulename
|
|
+ if test -f $module
|
|
+ then
|
|
+ goo="`nm -ao $module | ipsec calcgoo`"
|
|
+ if test " $wantgoo" = " $goo"
|
|
+ then
|
|
+ return # looks right
|
|
+ fi
|
|
+ fi
|
|
+ if test -f $moduleinstplace/$wantgoo
|
|
+ then
|
|
+ echo "modprobe failed, but found matching template module $wantgoo."
|
|
+ echo "Copying $moduleinstplace/$wantgoo to $module."
|
|
+ rm -f $module
|
|
+ mkdir -p $moduleplace
|
|
+ cp -p $moduleinstplace/$wantgoo $module
|
|
+ # "depmod -a" gets done by caller
|
|
+ fi
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
+# main line
|
|
+
|
|
+# load module if possible
|
|
+if test -f $ipsecversion && test -f $netkey
|
|
+then
|
|
+ # both KLIPS and NETKEY code detected, bail out
|
|
+ echo "FATAL ERROR: Both KLIPS and NETKEY IPsec code is present in kernel"
|
|
+ exit
|
|
+fi
|
|
+if test ! -f $ipsecversion && test ! -f $netkey && modprobe -qn ipsec
|
|
+then
|
|
+ # statically compiled KLIPS/NETKEY not found; try to load the module
|
|
+ modprobe ipsec
|
|
+fi
|
|
+
|
|
+if test ! -f $ipsecversion && test ! -f $netkey
|
|
+then
|
|
+ modprobe -v af_key
|
|
+fi
|
|
+
|
|
+if test -f $netkey
|
|
+then
|
|
+ klips=false
|
|
+ if test -f $modules
|
|
+ then
|
|
+ modprobe -qv ah4
|
|
+ modprobe -qv esp4
|
|
+ modprobe -qv ipcomp
|
|
+ # xfrm4_tunnel is needed by ipip and ipcomp
|
|
+ modprobe -qv xfrm4_tunnel
|
|
+ # xfrm_user contains netlink support for IPsec
|
|
+ modprobe -qv xfrm_user
|
|
+ modprobe -qv hw_random
|
|
+ # padlock must load before aes module
|
|
+ modprobe -qv padlock
|
|
+ # load the most common ciphers/algo's
|
|
+ modprobe -qv sha1
|
|
+ modprobe -qv md5
|
|
+ modprobe -qv des
|
|
+ modprobe -qv aes
|
|
+ fi
|
|
+fi
|
|
+
|
|
+if test ! -f $ipsecversion && $klips
|
|
+then
|
|
+ if test -r $modules # kernel does have modules
|
|
+ then
|
|
+ if [ ! -e /proc/ksyms -a ! -e /proc/kallsyms ]
|
|
+ then
|
|
+ echo "Broken 2.6 kernel without kallsyms, skipping calcgoo (Fedora rpm?)"
|
|
+ else
|
|
+ setmodule
|
|
+ fi
|
|
+ unset MODPATH MODULECONF # no user overrides!
|
|
+ depmod -a >/dev/null 2>&1
|
|
+ modprobe -qv hw_random
|
|
+ # padlock must load before aes module
|
|
+ modprobe -qv padlock
|
|
+ modprobe -v ipsec
|
|
+ fi
|
|
+ if test ! -f $ipsecversion
|
|
+ then
|
|
+ echo "kernel appears to lack IPsec support (neither CONFIG_KLIPS or CONFIG_NET_KEY are set)"
|
|
+ exit 1
|
|
+ fi
|
|
+fi
|
|
+
|
|
+# figure out debugging flags
|
|
+case "$debug" in
|
|
+'') debug=none ;;
|
|
+esac
|
|
+if test -r /proc/net/ipsec_klipsdebug
|
|
+then
|
|
+ echo "KLIPS debug \`$debug'" | logonly
|
|
+ case "$debug" in
|
|
+ none) ipsec klipsdebug --none ;;
|
|
+ all) ipsec klipsdebug --all ;;
|
|
+ *) ipsec klipsdebug --none
|
|
+ for d in $debug
|
|
+ do
|
|
+ ipsec klipsdebug --set $d
|
|
+ done
|
|
+ ;;
|
|
+ esac
|
|
+elif $klips
|
|
+then
|
|
+ if test " $debug" != " none"
|
|
+ then
|
|
+ echo "klipsdebug=\`$debug' ignored, KLIPS lacks debug facilities"
|
|
+ fi
|
|
+fi
|
|
+
|
|
+# figure out misc. kernel config
|
|
+if test -d $sysflags
|
|
+then
|
|
+ sysflag "$fragicmp" "fragicmp" yes icmp
|
|
+ echo 1 >$sysflags/inbound_policy_check # no debate
|
|
+ sysflag no "no_eroute_pass" no no_eroute_pass # obsolete parm
|
|
+ sysflag no "opportunistic" no opportunistic # obsolete parm
|
|
+ sysflag "$hidetos" "hidetos" yes tos
|
|
+elif $klips
|
|
+then
|
|
+ echo "WARNING: cannot adjust KLIPS flags, no $sysflags directory!"
|
|
+ # carry on
|
|
+fi
|
|
+
|
|
+if $klips
|
|
+then
|
|
+ # clear tables out in case dregs have been left over
|
|
+ ipsec eroute --clear
|
|
+ ipsec spi --clear
|
|
+elif test $netkey
|
|
+then
|
|
+ if ip xfrm state > /dev/null 2>&1
|
|
+ then
|
|
+ ip xfrm state flush
|
|
+ ip xfrm policy flush
|
|
+ elif type setkey > /dev/null 2>&1
|
|
+ then
|
|
+ # Check that the setkey command is available.
|
|
+ setkeycmd=
|
|
+ PATH=$PATH:/usr/local/sbin
|
|
+ for dir in `echo $PATH | tr ':' ' '`
|
|
+ do
|
|
+ if test -f $dir/setkey -a -x $dir/setkey
|
|
+ then
|
|
+ setkeycmd=$dir/setkey
|
|
+ break # NOTE BREAK OUT
|
|
+ fi
|
|
+ done
|
|
+ $setkeycmd -F
|
|
+ $setkeycmd -FP
|
|
+ else
|
|
+
|
|
+ echo "WARNING: cannot flush state/policy database -- \`$1'. Install a newer version of iproute/iproute2 or install the ipsec-tools package to obtain the setkey command." |
|
|
+ logger -s -p daemon.error -t ipsec_setup
|
|
+ fi
|
|
+fi
|
|
+
|
|
+# figure out interfaces
|
|
+for i
|
|
+do
|
|
+ case "$i" in
|
|
+ ipsec*=?*) klipsinterface "$i" ;;
|
|
+ %defaultroute) defaultinterface ;;
|
|
+ *) echo "interface \`$i' not understood"
|
|
+ exit 1
|
|
+ ;;
|
|
+ esac
|
|
+done
|
|
+
|
|
+exit 0
|