#!/bin/sh
# IPsec startup and shutdown command
# Copyright (C) 1998, 1999, 2001  Henry Spencer.
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: _realsetup.in,v 1.46.2.9 2006/05/05 18:49:45 ken Exp $

me='ipsec setup'		# for messages

# Misc. paths (some of this should perhaps be overrideable from ipsec.conf).
plutopid=/var/run/pluto/pluto.pid
plutoctl=/var/run/pluto/pluto.ctl
subsyslock=/var/lock/subsys/ipsec
lock=/var/run/pluto/ipsec_setup.pid
info=/var/run/pluto/ipsec.info
sysflags=/proc/sys/net/ipsec
modules=/proc/modules
ipforward=/proc/sys/net/ipv4/ip_forward
ipsecversion=/proc/net/ipsec_version
kamepfkey=/proc/net/pfkey

# make sure output of (e.g.) ifconfig is in English
unset LANG LANGUAGE LC_ALL LC_MESSAGES

# check we were called properly
if test " $IPSEC_confreadsection" != " setup"
then
	echo "$me: $0 must be called by ipsec_setup" >&2
	exit 1
fi
# defaults for "config setup" items

IPSECinterfaces=${IPSECinterfaces:-%defaultroute}
	if test " $IPSECinterfaces" = " %none" ; then IPSECinterfaces= ; fi
# IPSECforwardcontrol	"no"
# IPSECsyslog	"daemon.error"
# IPSECklipsdebug	"none"
# IPSECplutodebug	"none"
# IPSECdumpdir	"" (no dump)
# IPSECmanualstart	""
# IPSECpluto	"yes"
IPSECplutowait=${IPSECplutowait:-no}
# IPSECprepluto	""
# IPSECpostpluto	""
# IPSECfragicmp	"yes"
# IPSEChidetos	"yes"
IPSECrp_filter=${IPSECrp_filter:-0}
IPSECuniqueids=${IPSECuniqueids:-yes}
IPSECcrlcheckinterval=${IPSECcrlcheckinterval:-0}
IPSECprotostack=${IPSECprotostack:-auto}
# IPSECoverridemtu	""

# which kernel are we using?
case $IPSECprotostack in
auto)
    if test -f $kamepfkey
	then
	    netkey=true; klips=false;
	else
	    netkey=false; klips=true;
    fi;;
    
klips)  netkey=false; klips=true;;
netkey) netkey=true;  klips=false;;
none)   netkey=false; klips=false;;
esac


# Shall we trace?
execute="true"
display="false"
for i in $IPSEC_setupflags
do
	case "$i" in
	"--showonly")	execute="false" ; display=true ;;
	"--show")	display=true ;;
	esac
done

if $display
then
	echo "	" PATH="$PATH"
fi

perform() {
	if $display
	then
		echo "	" "$*"
	fi

	if $execute
	then
		eval "$*"
	fi
}

# function to set up manually-keyed connections
manualconns() {
	if test " $IPSECmanualstart" != " "
	then
		for tu in $IPSECmanualstart
		do
			perform ipsec manual --up $tu
		done
	fi

	# search for things to "ipsec manual --up": auto == "manual"
	eval `ipsec _confread --varprefix MANUALSTART --search auto manual`
	if test " $MANUALSTART_confreadstatus" != " "
	then
		echo "auto=manual search: $MANUALSTART_confreadstatus"
		echo "unable to determine what conns to manual --up; none done"
	elif test " $MANUALSTART_confreadnames" != " "
	then
		for tu in $MANUALSTART_confreadnames
		do
			perform ipsec manual --up $tu
		done
	fi
}

# for no-stdout logging:
LOGONLY="logger -p $IPSECsyslog -t ipsec_setup"

# What an ugly string.
# Must be a string, not a function, because it is nested
# within another sequence (for plutorun).
# Luckily there are NO substitutions in it.

if $klips
then
    KILLKLIPS='ifl=` ifconfig | sed -n -e "/^ipsec/s/ .*//p" ` ;
	test "X$ifl" != "X" &&
	for i in  $ifl ;
	do
		ifconfig $i down ;
		ipsec tncfg --detach --virtual $i ;
	done ;
	test -r /proc/net/ipsec_klipsdebug && ipsec klipsdebug --none ;
	test -d /proc/net/ipsec/eroute && ipsec eroute --clear ;
	test -d /proc/net/ipsec/spi && ipsec spi --clear'
	lsmod 2>&1 | grep "^ipsec" > /dev/null && rmmod ipsec ; 
	for ifname in `ls /proc/sys/net/ipv4/conf/|grep ipsec`; do
        	for ipaddr in `ip addr list dev $ifname | sed -n "/inet/ s/.*inet \(.*\) brd.*/\1/p"`; do
                	ip addr del "$ipaddr" dev "$ifname"
		done
	done 
fi

if $netkey
then
	KILLKLIPS='
		if ip xfrm state > /dev/null 2>&1 ;
		then
			ip xfrm state flush ;
			ip xfrm policy flush ;
		elif type setkey > /dev/null 2>&1 ;
		then
			setkey -F ;
			setkey -FP ;
		fi'
fi



# do it
case "$1" in
  start|--start|_autostart)
	# First, does it seem to be going already?
	perform test ! -f $lock "||" "{" \
		echo "\"Openswan IPsec apparently already running, start aborted\"" ";" \
		exit 1 ";" \
		"}"

	# announcement
	# (Warning, changes to this log message may affect barf.)
	version="`ipsec --version | awk 'NR == 1 { print $(3) }' | sed -e 's/^U\(.*\)\/K(.*/\1/'`"
	case "$1" in
	start|--start)	perform echo "\"Starting Openswan IPsec $version...\""	;;
	_autostart)	perform echo "\"Restarting Openswan IPsec $version...\""	;;
	esac

	# preliminaries
	perform rm -f $lock

	# the meaning of $$ at a different runtime is questionable!
	perform echo '$$' ">" $lock
	perform test -s $lock "||" "{" \
		echo "\"...unable to create $lock, aborting start!\"" ";" \
		rm -f $lock ";" \
		exit 1 ";" \
		"}"

	perform ">" $info

	# overridemtu is ignored on 2.6, so warn the user.
	if $netkey
	then
        	if test $IPSECoverridemtu
        	then
                	echo "WARNING: overridemtu= is ignored when using the NETKEY stack"
        	fi
	fi


	# here we go
	perform ipsec _startklips \
			--info $info \
			--debug "\"$IPSECklipsdebug\"" \
			--omtu "\"$IPSECoverridemtu\"" \
			--fragicmp "\"$IPSECfragicmp\"" \
			--hidetos "\"$IPSEChidetos\"" \
			--rpfilter "\"$IPSECrp_filter\"" \
			--log "\"$IPSECsyslog\"" \
			$IPSECinterfaces "||" \
		"{" rm -f $lock ";" exit 1 ";" "}"

	perform test -f $ipsecversion "||" \
		test -f $kamepfkey "||" "{" \
		echo "\"OOPS, should have aborted!  Broken shell!\"" ";" \
		exit 1 ";" \
		"}"

	# misc pre-Pluto setup

	perform test -d `dirname $subsyslock` "&&" touch $subsyslock

	if test " $IPSECforwardcontrol" = " yes"
	then
		perform grep '"^0"' $ipforward ">" /dev/null "&&" "{" \
			echo "\"enabling IP forwarding:\"" "|" $LOGONLY ";" \
			echo "\"ipforwardingwas=$fw\"" ">>" $info ";" \
			echo 1 ">" $ipforward ";" \
			"}"
	fi
	manualconns

	plutorestartoncrash=""
	case "$IPSECplutorestartoncrash" in
	    true|[yY]|yes|restart) plutorestartoncrash="--plutorestartoncrash true";;
	    false|[nN]|no|die) plutorestartoncrash="--plutorestartoncrash false" ;;
        esac

	# Pluto
	case "$1" in
	start|--start)	re=	;;
	_autostart)	re=--re	;;
	esac
	if test " $IPSECpluto" != " no"
	then
		perform ipsec _plutorun $re \
			--debug "\"$IPSECplutodebug\"" \
			--uniqueids "\"$IPSECuniqueids\"" \
			--nocrsend "\"$IPSECnocrsend\"" \
			--strictcrlpolicy "\"$IPSECstrictcrlpolicy\"" \
			--nat_traversal "\"$IPSECnat_traversal\"" \
			--keep_alive "\"$IPSECkeep_alive\"" \
			--protostack "\"$IPSECprotostack\"" \
			--force_keepalive "\"$IPSECforce_keepalive\"" \
			--disable_port_floating "\"$IPSECdisable_port_floating\"" \
			--virtual_private "\"$IPSECvirtual_private\"" \
			--crlcheckinterval "\"$IPSECcrlcheckinterval\"" \
                        --ocspuri "\"$IPSECocspuri\"" \
			--nhelpers "\"$IPSECnhelpers\"" \
			--dump "\"$IPSECdumpdir\"" \
			--opts "\"$IPSECplutoopts\"" \
			--stderrlog "\"$IPSECplutostderrlog\"" \
			--wait "\"$IPSECplutowait\"" \
			--pre "\"$IPSECprepluto\"" \
			--post "\"$IPSECpostpluto\"" \
			--log "\"$IPSECsyslog\"" $plutorestartoncrash \
			--pid "\"$plutopid\"" "||" "{" \
		    $KILLKLIPS ";" \
		    rm -f $lock ";" \
		    exit 1 ";" \
		    "}"
	fi

	# done!
	perform echo "\"...Openswan IPsec started\"" "|" $LOGONLY
	;;

  stop|--stop|_autostop)		# _autostop is same as stop
	# Shut things down.
	perform echo "\"Stopping Openswan IPsec...\""
	perform \
		if test -r $lock ";" \
		then \
			status=0 ";" \
			. $info ";" \
		else \
			echo "\"stop ordered, but IPsec does not appear to be running!\"" ";" \
			echo "\"doing cleanup anyway...\"" ";" \
			status=1 ";" \
		fi
	if test " $IPSECforwardcontrol" = " yes"
	then
		perform test "\"X\$ipforwardingwas\"" = "\"X0\"" "&&" "{" \
			echo "\"disabling IP forwarding:\"" "|" $LOGONLY ";" \
			echo 0 ">" $ipforward ";" \
			"}"
	fi

	if [ -f /var/run/pluto.pid -a ! -f /var/run/pluto/pluto.pid ]
	then
	    mkdir -p /var/run/pluto
	    mv /var/run/pluto.pid /var/run/pluto/pluto.pid
	fi

	perform test -f $plutopid "&&" "{" \
		if ps -p '`' cat $plutopid '`' ">" /dev/null ";" \
		then \
			ipsec whack --shutdown "|" grep -v "^002" ";" \
			sleep 1 ";" \
			if test -s $plutopid ";" \
			then \
				echo "\"Attempt to shut Pluto down failed!  Trying kill:\"" ";" \
				kill '`' cat $plutopid '`' ";" \
				sleep 5 ";" \
			fi ";" \
		else \
			echo "\"Removing orphaned $plutopid:\"" ";" \
		fi ";" \
		rm -f $plutopid ";" \
		"}"

	perform $KILLKLIPS
	rm -f /var/run/pluto.pid

	# When we exit we clean up (remove) the modules we are using, even the kame'ish ones
	if test -e ${kamepfkey}; then
		lsmod 2>&1 | grep "^xfrm4_tunnel" > /dev/null && rmmod -s xfrm4_tunnel
		lsmod 2>&1 | grep "^af_key" > /dev/null && rmmod -s af_key
		# old name for xfrm4_tunnel
		lsmod 2>&1 | grep "^xfrm_user" > /dev/null && rmmod -s xfrm_user
	fi 

	perform test -d `dirname $subsyslock` "&&" rm -f $subsyslock

	perform rm -f $info $lock $plutopid
	perform echo "...Openswan IPsec stopped" "|" $LOGONLY
	perform exit \$status
	;;

  status|--status)
	if test " $IPSEC_setupflags" != " "
	then
		echo "$me $1 does not support $IPSEC_setupflags"
		exit 1
	fi

	if test -f $info
	then
		hasinfo=yes
	fi

	if test -f $lock
	then
		haslock=yes
	fi

	if test -f $subsyslock
	then
		hassublock=yes
	fi

	if test -s $plutopid
	then
		if ps -p `cat $plutopid` >/dev/null
		then
			plutokind=normal
		elif ps -C pluto >/dev/null
		then
			plutokind=illicit
		fi
	elif ps -C pluto >/dev/null
	then
		plutokind=orphaned
	else
		plutokind=no
	fi

	if test -r /proc/net/ipsec_eroute
	then
		if test " `wc -l < /proc/net/ipsec_eroute 2> /dev/null `" -gt 0
		then
			eroutes=`wc -l < /proc/net/ipsec_eroute 2> /dev/null | sed s/\ //g`
		fi
	else
		eroutes=`ipsec auto --status 2> /dev/null | grep -i "ipsec sa established" | wc -l | sed s/\ //g`
	fi


	if test -r $ipsecversion
	then
		klips=yes
	elif test -r $modules
	then
		klips=maybe
	else
		klips=none
	fi
		
	if test -r $kamepfkey
	then
		lk26sec=yes
	fi

	if test "$haslock"
	then
		echo "IPsec running"  " - pluto pid: `cat $plutopid`"
		# might not be a subsystem lock dir, ignore that issue
		if test "$plutokind" = "normal" -a \( "$klips" = "yes" -o "$lk26sec" = "yes" \)  -a "$hasinfo"
		then
			echo "pluto pid `cat $plutopid`"
                        case "$eroutes" in
                        0)      echo "No tunnels up"    ;;
                        *)      echo "$eroutes tunnels up"      ;;
                        esac
			exit 0
		fi
		echo "but..."
		if test "$plutokind" != "normal"
		then
			echo "$plutokind Pluto running" " - pluto pid: `cat $plutopid`"
		fi
		if test ! "$hasinfo"
		then
			echo "$info file missing!"
		fi
		case $klips in
		maybe)	echo "KLIPS module is not loaded!"	;;
		none)	echo "no KLIPS in kernel!"		;;
		esac
		if test "$eroutes"
		then
			if test "$eroutes" -gt 0
			then
				echo "some eroutes exist"
			fi
		fi
	else
		echo "IPsec stopped"
		if test ! "$hassublock" -a ! "$hasinfo" -a "$plutokind" = "no" -a "$eroutes" -eq 0
		then
			exit 0
		fi
		echo "but..."
		if test "$hassublock"
		then
			echo "has subsystem lock ($subsyslock)!"
		fi
		if test "$hasinfo"
		then
			echo "has $info file!"
		fi
		if test "$plutokind" != "no"
		then
			echo "An ${plutokind} Pluto is running?"
		fi
		if test "$eroutes" -gt 0
		then
			echo "some (${eroutes}) eroutes exist!"
		fi
		exit 1
	fi
	# todo: ipsec verify --quiet that only shows problems
	/usr/sbin/ipsec verify;
	exit $?;
	;;

  --version)
	if test " $IPSEC_setupflags" != " "
	then
		echo "$me $1 does not support $IPSEC_setupflags"
		exit 1
	fi

	echo "$me $IPSEC_VERSION"
	exit 0
	;;

  --help)
	if test " $IPSEC_setupflags" != " "
	then
		echo "$me $1 does not support $IPSEC_setupflags"
		exit 1
	fi

	echo "Usage: $me {--start|--stop|--restart|--status}"
	exit 0
	;;

  *)
	echo "Usage: $me {--start|--stop|--restart|--status}" >&2
	exit 2
esac

exit 0
