This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, kernel-update has been updated via acb59f3a997cd39fbcc7b13df3a662533cec08c0 (commit) via 8bec7790904905339ec70cb41ec3b56ce31b3349 (commit) via 593948a8efaa9c53547b5c44e11ed1b1c69814be (commit) via 4503e6b7ad857ceb87b7d6fe02e1952d911634bb (commit) via b431bfce486adcccac747c21882a6f735583104e (commit) via 4ad88740a073e13a69d61848af3a808ce1251af8 (commit) via 68ad7a1ab89eeac485ca85667fb43db3c6431e34 (commit) via 12a8cc1ed90b108fbbcb2d1093e754f05e98bdc1 (commit) via 14356fb908fd6062e987d61cc4c85a618e2fc180 (commit) via 2ade4613c7fe43298ea40947de6c54b07f48dfd0 (commit) via 7916a3bef82e2bb2ff4601c3f851e19bd762f70d (commit) via e6a97a0ca27877bb6396c120a7ab6ec4187dac85 (commit) via 9f0b5c9f4dc586433c8664074fcc46cefda0f666 (commit) via 9d60c9fd3d750da3c762811b30f7c23eb51a32da (commit) via 70e8a248c7d446655965f8e12868ed0c1e3c167c (commit) via b871af81ed08222d92d98a8e7576b3f7386d5e92 (commit) via 3b24acd0f33b4f803088929e5accc716e663c46f (commit) via ae2782ba1ffa3365719070c031ad59317c451f2f (commit) via b829fa10cc91535ca9b8c7708b3168dd54d34e9c (commit) via 08b4415ef2efe8a22a39f5e836099269fa024738 (commit) via 44fd6d2bb50f728b1ea772b9c184cfcca872b568 (commit) via 3090c39efd011f4da22fb076cf9fde846619c688 (commit) via 966e5b56c48c1676c0cbdf96c5ad659af7b4df56 (commit) from 47577eb38527c96d8edc712e6470f7984b43635f (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit acb59f3a997cd39fbcc7b13df3a662533cec08c0 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Aug 13 14:15:04 2012 +0200
installer: add findutils to initrd.
commit 8bec7790904905339ec70cb41ec3b56ce31b3349 Merge: 593948a 47577eb Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Aug 13 14:14:00 2012 +0200
Merge branch 'kernel-update' of git.ipfire.org:/pub/git/ipfire-2.x into kernel-update
commit 593948a8efaa9c53547b5c44e11ed1b1c69814be Merge: 4503e6b cc7e3a9 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Aug 8 13:22:53 2012 +0200
Merge branch 'kernel-update' of git.ipfire.org:/pub/git/ipfire-2.x into kernel-update
commit 4503e6b7ad857ceb87b7d6fe02e1952d911634bb Merge: b431bfc ad92a4b Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Aug 1 08:56:54 2012 +0200
Merge remote-tracking branch 'ms/ccache-update' into kernel-update
commit b431bfce486adcccac747c21882a6f735583104e Merge: 4ad8874 6665a03 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Jul 21 23:54:31 2012 +0200
Merge remote-tracking branch 'origin/master' into kernel-update
commit 4ad88740a073e13a69d61848af3a808ce1251af8 Merge: 68ad7a1 141c7c9 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Jul 21 23:54:01 2012 +0200
Merge branch 'kernel-update' of git.ipfire.org:/pub/git/ipfire-2.x into kernel-update
commit 68ad7a1ab89eeac485ca85667fb43db3c6431e34 Merge: 12a8cc1 3d08d93 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Jul 20 09:08:40 2012 +0200
Merge remote-tracking branch 'ms/thirteen' into kernel-update
commit 12a8cc1ed90b108fbbcb2d1093e754f05e98bdc1 Merge: 14356fb ee71790 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Jul 20 09:05:13 2012 +0200
Merge remote-tracking branch 'ms/glibc-update' into kernel-update
commit 14356fb908fd6062e987d61cc4c85a618e2fc180 Merge: 08b4415 2ade461 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Jul 20 09:04:42 2012 +0200
Merge remote-tracking branch 'ms/strongswan-5' into kernel-update
commit 2ade4613c7fe43298ea40947de6c54b07f48dfd0 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jul 19 17:20:05 2012 +0200
Add all changed files to the updater.
commit 7916a3bef82e2bb2ff4601c3f851e19bd762f70d Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jul 19 16:54:05 2012 +0200
vpnmain.cgi: Reflect recent changes: vpn-watch removed.
commit e6a97a0ca27877bb6396c120a7ab6ec4187dac85 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jul 19 16:51:50 2012 +0200
Remove vpn-watch.
commit 9f0b5c9f4dc586433c8664074fcc46cefda0f666 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jul 19 16:46:00 2012 +0200
ipsec: Improve connection reloading.
As pluto is no longer present, there is a lot to clean up. The connection rename hack is no longer needed and the whole ipsec stack can be controlled with the "ipsec" command.
commit 9d60c9fd3d750da3c762811b30f7c23eb51a32da Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 15 21:04:38 2012 +0200
initscripts: Don't create tmp dirs for pluto anymore.
commit 70e8a248c7d446655965f8e12868ed0c1e3c167c Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 15 21:04:05 2012 +0200
strongswan: Fix running check in services.cgi.
Pluto does not exist anymore. Check for charon.
commit b871af81ed08222d92d98a8e7576b3f7386d5e92 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 15 15:44:17 2012 +0200
Disable vpn-watch.
commit 3b24acd0f33b4f803088929e5accc716e663c46f Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 15 15:43:25 2012 +0200
Create an strongswan update for preview.
commit ae2782ba1ffa3365719070c031ad59317c451f2f Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 15 15:34:59 2012 +0200
Update VPN CGI scripts to work with strongswan 5.0.0.
Pluto is not supported anymore, the following defaults have been changed: * AES 256 is enabled by default for IKE and ESP. * DH MODP group has been set to 2048. * Compression is enabled. * IKEv2 is default.
Lots of code cleanup has been done as well.
commit b829fa10cc91535ca9b8c7708b3168dd54d34e9c Merge: 3090c39 b0c682c Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jul 15 13:15:11 2012 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into strongswan-5
commit 08b4415ef2efe8a22a39f5e836099269fa024738 Merge: 44fd6d2 ace40c9 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Jul 7 23:17:25 2012 +0200
Merge remote-tracking branch 'origin/next' into kernel-update
commit 44fd6d2bb50f728b1ea772b9c184cfcca872b568 Merge: 966e5b5 986a6b7 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Jul 7 23:16:47 2012 +0200
Merge branch 'kernel-update' of git.ipfire.org:/pub/git/ipfire-2.x into kernel-update
commit 3090c39efd011f4da22fb076cf9fde846619c688 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jul 4 15:53:19 2012 +0200
strongswan: Update to 5.0.0.
This update removes pluto which is replaced by charon.
commit 966e5b56c48c1676c0cbdf96c5ad659af7b4df56 Merge: 83d893a 7d97107 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Jul 4 10:40:34 2012 +0200
Merge remote-tracking branch 'origin/next' into kernel-update
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/stage2 | 5 +- config/rootfiles/common/strongswan | 90 +------- config/rootfiles/core/{55 => strongswan}/exclude | 0 config/rootfiles/core/strongswan/filelists/files | 6 + .../core/{53 => strongswan}/filelists/strongswan | 0 config/rootfiles/core/{52 => strongswan}/meta | 0 config/rootfiles/core/{61 => strongswan}/update.sh | 14 +- config/rootfiles/installer/findutils | 1 + html/cgi-bin/services.cgi | 2 +- html/cgi-bin/vpnmain.cgi | 187 +++++------------ lfs/strongswan | 27 ++- src/initscripts/init.d/tmpfs | 4 - src/misc-progs/ipsecctrl.c | 221 ++++++-------------- src/scripts/vpn-watch | 83 -------- 14 files changed, 166 insertions(+), 474 deletions(-) copy config/rootfiles/core/{55 => strongswan}/exclude (100%) create mode 100644 config/rootfiles/core/strongswan/filelists/files copy config/rootfiles/core/{53 => strongswan}/filelists/strongswan (100%) copy config/rootfiles/core/{52 => strongswan}/meta (100%) copy config/rootfiles/core/{61 => strongswan}/update.sh (92%) create mode 120000 config/rootfiles/installer/findutils delete mode 100755 src/scripts/vpn-watch
Difference in files: diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 796e0f3..e59763f 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -13,8 +13,8 @@ etc/hddtemp.db etc/host.conf etc/inittab etc/inputrc -#etc/ipsec.user.conf -#etc/ipsec.user.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets etc/issue etc/ld.so.conf etc/localtime @@ -75,7 +75,6 @@ usr/local/bin/setddns.pl usr/local/bin/settime usr/local/bin/timecheck #usr/local/bin/uname -usr/local/bin/vpn-watch #usr/local/include #usr/local/lib #usr/local/sbin diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index 4c7d558..ac368d6 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -13,133 +13,62 @@ etc/strongswan.conf #usr/lib/ipsec #usr/lib/ipsec/libcharon.a #usr/lib/ipsec/libcharon.la -usr/lib/ipsec/libcharon.so +#usr/lib/ipsec/libcharon.so usr/lib/ipsec/libcharon.so.0 usr/lib/ipsec/libcharon.so.0.0.0 #usr/lib/ipsec/libhydra.a #usr/lib/ipsec/libhydra.la -usr/lib/ipsec/libhydra.so +#usr/lib/ipsec/libhydra.so usr/lib/ipsec/libhydra.so.0 usr/lib/ipsec/libhydra.so.0.0.0 #usr/lib/ipsec/libstrongswan.a #usr/lib/ipsec/libstrongswan.la -usr/lib/ipsec/libstrongswan.so +#usr/lib/ipsec/libstrongswan.so usr/lib/ipsec/libstrongswan.so.0 usr/lib/ipsec/libstrongswan.so.0.0.0 #usr/lib/ipsec/plugins -#usr/lib/ipsec/plugins/libstrongswan-aes.a -#usr/lib/ipsec/plugins/libstrongswan-aes.la usr/lib/ipsec/plugins/libstrongswan-aes.so -#usr/lib/ipsec/plugins/libstrongswan-attr.a -#usr/lib/ipsec/plugins/libstrongswan-attr.la usr/lib/ipsec/plugins/libstrongswan-attr.so -#usr/lib/ipsec/plugins/libstrongswan-cmac.a -#usr/lib/ipsec/plugins/libstrongswan-cmac.la usr/lib/ipsec/plugins/libstrongswan-cmac.so -#usr/lib/ipsec/plugins/libstrongswan-constraints.a -#usr/lib/ipsec/plugins/libstrongswan-constraints.la usr/lib/ipsec/plugins/libstrongswan-constraints.so -#usr/lib/ipsec/plugins/libstrongswan-curl.a -#usr/lib/ipsec/plugins/libstrongswan-curl.la usr/lib/ipsec/plugins/libstrongswan-curl.so -#usr/lib/ipsec/plugins/libstrongswan-des.a -#usr/lib/ipsec/plugins/libstrongswan-des.la usr/lib/ipsec/plugins/libstrongswan-des.so -#usr/lib/ipsec/plugins/libstrongswan-dnskey.a -#usr/lib/ipsec/plugins/libstrongswan-dnskey.la usr/lib/ipsec/plugins/libstrongswan-dnskey.so -#usr/lib/ipsec/plugins/libstrongswan-fips-prf.a -#usr/lib/ipsec/plugins/libstrongswan-fips-prf.la usr/lib/ipsec/plugins/libstrongswan-fips-prf.so -#usr/lib/ipsec/plugins/libstrongswan-gmp.a -#usr/lib/ipsec/plugins/libstrongswan-gmp.la usr/lib/ipsec/plugins/libstrongswan-gmp.so -#usr/lib/ipsec/plugins/libstrongswan-hmac.a -#usr/lib/ipsec/plugins/libstrongswan-hmac.la usr/lib/ipsec/plugins/libstrongswan-hmac.so -#usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.a -#usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.la usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so -#usr/lib/ipsec/plugins/libstrongswan-md5.a -#usr/lib/ipsec/plugins/libstrongswan-md5.la usr/lib/ipsec/plugins/libstrongswan-md5.so -#usr/lib/ipsec/plugins/libstrongswan-pem.a -#usr/lib/ipsec/plugins/libstrongswan-pem.la +usr/lib/ipsec/plugins/libstrongswan-nonce.so +usr/lib/ipsec/plugins/libstrongswan-openssl.so +usr/lib/ipsec/plugins/libstrongswan-padlock.so usr/lib/ipsec/plugins/libstrongswan-pem.so -#usr/lib/ipsec/plugins/libstrongswan-pgp.a -#usr/lib/ipsec/plugins/libstrongswan-pgp.la usr/lib/ipsec/plugins/libstrongswan-pgp.so -#usr/lib/ipsec/plugins/libstrongswan-pkcs1.a -#usr/lib/ipsec/plugins/libstrongswan-pkcs1.la usr/lib/ipsec/plugins/libstrongswan-pkcs1.so -#usr/lib/ipsec/plugins/libstrongswan-pkcs8.a -#usr/lib/ipsec/plugins/libstrongswan-pkcs8.la usr/lib/ipsec/plugins/libstrongswan-pkcs8.so -#usr/lib/ipsec/plugins/libstrongswan-pubkey.a -#usr/lib/ipsec/plugins/libstrongswan-pubkey.la usr/lib/ipsec/plugins/libstrongswan-pubkey.so -#usr/lib/ipsec/plugins/libstrongswan-random.a -#usr/lib/ipsec/plugins/libstrongswan-random.la usr/lib/ipsec/plugins/libstrongswan-random.so -#usr/lib/ipsec/plugins/libstrongswan-resolve.a -#usr/lib/ipsec/plugins/libstrongswan-resolve.la usr/lib/ipsec/plugins/libstrongswan-resolve.so -#usr/lib/ipsec/plugins/libstrongswan-revocation.a -#usr/lib/ipsec/plugins/libstrongswan-revocation.la usr/lib/ipsec/plugins/libstrongswan-revocation.so -#usr/lib/ipsec/plugins/libstrongswan-sha1.a -#usr/lib/ipsec/plugins/libstrongswan-sha1.la usr/lib/ipsec/plugins/libstrongswan-sha1.so -#usr/lib/ipsec/plugins/libstrongswan-sha2.a -#usr/lib/ipsec/plugins/libstrongswan-sha2.la usr/lib/ipsec/plugins/libstrongswan-sha2.so -#usr/lib/ipsec/plugins/libstrongswan-socket-raw.a -#usr/lib/ipsec/plugins/libstrongswan-socket-raw.la -usr/lib/ipsec/plugins/libstrongswan-socket-raw.so -#usr/lib/ipsec/plugins/libstrongswan-stroke.a -#usr/lib/ipsec/plugins/libstrongswan-stroke.la +usr/lib/ipsec/plugins/libstrongswan-socket-default.so usr/lib/ipsec/plugins/libstrongswan-stroke.so -#usr/lib/ipsec/plugins/libstrongswan-updown.a -#usr/lib/ipsec/plugins/libstrongswan-updown.la usr/lib/ipsec/plugins/libstrongswan-updown.so -#usr/lib/ipsec/plugins/libstrongswan-x509.a -#usr/lib/ipsec/plugins/libstrongswan-x509.la usr/lib/ipsec/plugins/libstrongswan-x509.so -#usr/lib/ipsec/plugins/libstrongswan-xauth.a -#usr/lib/ipsec/plugins/libstrongswan-xauth.la -usr/lib/ipsec/plugins/libstrongswan-xauth.so -#usr/lib/ipsec/plugins/libstrongswan-xcbc.a -#usr/lib/ipsec/plugins/libstrongswan-xcbc.la +usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so usr/lib/ipsec/plugins/libstrongswan-xcbc.so #usr/libexec/ipsec usr/libexec/ipsec/_copyright -usr/libexec/ipsec/_pluto_adns usr/libexec/ipsec/_updown usr/libexec/ipsec/_updown_espmark usr/libexec/ipsec/charon usr/libexec/ipsec/openac usr/libexec/ipsec/pki -usr/libexec/ipsec/pluto usr/libexec/ipsec/scepclient usr/libexec/ipsec/starter usr/libexec/ipsec/stroke -usr/libexec/ipsec/whack usr/sbin/ipsec -#usr/share/man/man3/anyaddr.3 -#usr/share/man/man3/atoaddr.3 -#usr/share/man/man3/atoasr.3 -#usr/share/man/man3/atoul.3 -#usr/share/man/man3/goodmask.3 -#usr/share/man/man3/initaddr.3 -#usr/share/man/man3/initsubnet.3 -#usr/share/man/man3/portof.3 -#usr/share/man/man3/rangetosubnet.3 -#usr/share/man/man3/sameaddr.3 -#usr/share/man/man3/subnetof.3 -#usr/share/man/man3/ttoaddr.3 -#usr/share/man/man3/ttodata.3 -#usr/share/man/man3/ttosa.3 -#usr/share/man/man3/ttoul.3 #usr/share/man/man5/ipsec.conf.5 #usr/share/man/man5/ipsec.secrets.5 #usr/share/man/man5/strongswan.conf.5 @@ -147,7 +76,4 @@ usr/sbin/ipsec #usr/share/man/man8/_updown_espmark.8 #usr/share/man/man8/ipsec.8 #usr/share/man/man8/openac.8 -#usr/share/man/man8/pluto.8 #usr/share/man/man8/scepclient.8 -etc/ipsec.user.conf -etc/ipsec.user.secrets diff --git a/config/rootfiles/core/strongswan/exclude b/config/rootfiles/core/strongswan/exclude new file mode 100644 index 0000000..7360266 --- /dev/null +++ b/config/rootfiles/core/strongswan/exclude @@ -0,0 +1,12 @@ +srv/web/ipfire/html/proxy.pac +etc/udev/rules.d/30-persistent-network.rules +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +var/updatecache +etc/localtime +var/ipfire/ovpn +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf diff --git a/config/rootfiles/core/strongswan/filelists/files b/config/rootfiles/core/strongswan/filelists/files new file mode 100644 index 0000000..4aa5440 --- /dev/null +++ b/config/rootfiles/core/strongswan/filelists/files @@ -0,0 +1,6 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/tmpfs +srv/web/ipfire/cgi-bin/services.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +usr/local/bin/ipsecctrl diff --git a/config/rootfiles/core/strongswan/filelists/strongswan b/config/rootfiles/core/strongswan/filelists/strongswan new file mode 120000 index 0000000..90c727e --- /dev/null +++ b/config/rootfiles/core/strongswan/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/strongswan/meta b/config/rootfiles/core/strongswan/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/core/strongswan/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/strongswan/update.sh b/config/rootfiles/core/strongswan/update.sh new file mode 100644 index 0000000..7ef3f2f --- /dev/null +++ b/config/rootfiles/core/strongswan/update.sh @@ -0,0 +1,89 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2012 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# +# Remove old core updates from pakfire cache to save space... +core=61 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# +#Stop services +ipsecctrl D + +# +#Extract files +extract_files + +# Remove old pluto binaries. +rm -f /usr/libexec/ipsec/{pluto,_pluto_adns,whack} +rm -f /usr/local/bin/vpn-watch + +# +#Start services + +# Call the CGI script to regenerate the configuration files. +/srv/web/ipfire/cgi-bin/vpnmain.cgi +ipsecctrl S + +# +#Update Language cache +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +#Rebuild module dep's +#arch=`uname -m` +#if [ ${arch::3} == "arm" ]; then +# depmod -a 2.6.32.45-ipfire-versatile >/dev/null 2>&1 +# depmod -a 2.6.32.45-ipfire-kirkwood >/dev/null 2>&1 +#else +# depmod -a 2.6.32.45-ipfire >/dev/null 2>&1 +# depmod -a 2.6.32.45-ipfire-pae >/dev/null 2>&1 +# depmod -a 2.6.32.45-ipfire-xen >/dev/null 2>&1 +#fi + + +#Rebuild initrd's because some compat-wireless modules are inside +#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45.img 2.6.32.45-ipfire +#if [ -e /boot/ipfirerd-2.6.32.45-pae.img ]; then +#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-pae.img 2.6.32.45-ipfire-pae +#fi +#if [ -e /boot/ipfirerd-2.6.32.45-xen.img ]; then +#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-xen.img 2.6.32.45-ipfire-xen +#fi + +sync + +# This update need a reboot... +#touch /var/run/need_reboot + +# +#Finish +/etc/init.d/fireinfo start +sendprofile +#Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/installer/findutils b/config/rootfiles/installer/findutils new file mode 120000 index 0000000..1114c4c --- /dev/null +++ b/config/rootfiles/installer/findutils @@ -0,0 +1 @@ +../common/findutils \ No newline at end of file diff --git a/html/cgi-bin/services.cgi b/html/cgi-bin/services.cgi index 123c325..22a9ac7 100644 --- a/html/cgi-bin/services.cgi +++ b/html/cgi-bin/services.cgi @@ -54,7 +54,7 @@ my %servicenames =( $Lang::tr{'kernel logging server'} => 'klogd', $Lang::tr{'ntp server'} => 'ntpd', $Lang::tr{'secure shell server'} => 'sshd', - $Lang::tr{'vpn'} => 'pluto', + $Lang::tr{'vpn'} => 'charon', $Lang::tr{'web proxy'} => 'squid', 'OpenVPN' => 'openvpn' ); diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 0fb7c93..831ef93 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -73,17 +73,9 @@ $cgiparams{'ENABLED'} = 'off'; $cgiparams{'EDIT_ADVANCED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; -$cgiparams{'DBG_CRYPT'} = ''; -$cgiparams{'DBG_PARSING'} = ''; -$cgiparams{'DBG_EMITTING'} = ''; -$cgiparams{'DBG_CONTROL'} = ''; -$cgiparams{'DBG_KLIPS'} = ''; -$cgiparams{'DBG_DNS'} = ''; -$cgiparams{'DBG_NAT_T'} = ''; $cgiparams{'KEY'} = ''; $cgiparams{'TYPE'} = ''; $cgiparams{'ADVANCED'} = ''; -$cgiparams{'INTERFACE'} = ''; $cgiparams{'NAME'} = ''; $cgiparams{'LOCAL_SUBNET'} = ''; $cgiparams{'REMOTE_SUBNET'} = ''; @@ -253,50 +245,8 @@ sub writeipsecfiles { flock CONF, 2; flock SECRETS, 2; print CONF "version 2\n\n"; - print CONF "config setup\n"; - #create an ipsec Interface for each 'enabled' ones - #loop trought configuration and add physical interfaces to the list - my $interfaces = "\tinterfaces=""; - foreach my $key (keys %lconfighash) { - next if ($lconfighash{$key}[0] ne 'on'); - $interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED'); - $interfaces .= "$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN'); - $interfaces .= "$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE'); - $interfaces .= "$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE'); - } - print CONF $interfaces . ""\n"; - - my $plutodebug = ''; # build debug list - map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '', - ('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_DNS')); - $plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'. - #print CONF "\tklipsdebug="none"\n"; - print CONF "\tplutodebug="$plutodebug"\n"; - # deprecated in ipsec.conf version 2 - #print CONF "\tplutoload=%search\n"; - #print CONF "\tplutostart=%search\n"; - print CONF "\tuniqueids=yes\n"; - print CONF "\tnat_traversal=yes\n"; - print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne ''); - print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16"; - print CONF ",%v4:!$green_cidr"; - if (length($netsettings{'ORANGE_DEV'}) > 2) { - print CONF ",%v4:!$orange_cidr"; - } - if (length($netsettings{'BLUE_DEV'}) > 2) { - print CONF ",%v4:!$blue_cidr"; - } - foreach my $key (keys %lconfighash) { - if ($lconfighash{$key}[3] eq 'net') { - print CONF ",%v4:!$lconfighash{$key}[11]"; - } - } - print CONF "\n\n"; print CONF "conn %default\n"; - print CONF "\tkeyingtries=0\n"; - #strongswan doesn't know this - #print CONF "\tdisablearrivalcheck=no\n"; + print CONF "\tkeyingtries=%forever\n"; print CONF "\n";
# Add user includes to config file @@ -329,7 +279,6 @@ sub writeipsecfiles {
print CONF "conn $lconfighash{$key}[1]\n"; print CONF "\tleft=$localside\n"; - print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute'); my $cidr_net=&General::ipcidr($lconfighash{$key}[8]); print CONF "\tleftsubnet=$cidr_net\n"; print CONF "\tleftfirewall=yes\n"; @@ -339,7 +288,6 @@ sub writeipsecfiles { if ($lconfighash{$key}[3] eq 'net') { my $cidr_net=&General::ipcidr($lconfighash{$key}[11]); print CONF "\trightsubnet=$cidr_net\n"; - print CONF "\trightnexthop=%defaultroute\n"; } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors? print CONF "\trightsubnet=vhost:%no,%priv\n"; } @@ -354,6 +302,9 @@ sub writeipsecfiles { print CONF "\tleftid="$lconfighash{$key}[7]"\n" if ($lconfighash{$key}[7]); print CONF "\trightid="$lconfighash{$key}[9]"\n" if ($lconfighash{$key}[9]);
+ # Is PFS enabled? + my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; + # Algorithms if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { print CONF "\tike="; @@ -379,11 +330,25 @@ sub writeipsecfiles { print CONF "\tesp="; my @encs = split('|', $lconfighash{$key}[21]); my @ints = split('|', $lconfighash{$key}[22]); + my @groups = split('|', $lconfighash{$key}[20]); my $comma = 0; foreach my $i (@encs) { foreach my $j (@ints) { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j"; + my $modp = ""; + if ($pfs eq "on") { + foreach my $k (@groups) { + if ($comma != 0) { print CONF ","; } else { $comma = 1; } + if ($pfs eq "on") { + $modp = "-modp$k"; + } else { + $modp = ""; + } + print CONF "$i-$j$modp"; + } + } else { + if ($comma != 0) { print CONF ","; } else { $comma = 1; } + print CONF "$i-$j"; + } } } if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? @@ -392,9 +357,6 @@ sub writeipsecfiles { print CONF "\n"; } } - if ($lconfighash{$key}[23]) { - print CONF "\tpfsgroup=$lconfighash{$key}[23]\n"; - }
# IKE V1 or V2 if (! $lconfighash{$key}[29]) { @@ -414,9 +376,6 @@ sub writeipsecfiles { print CONF "\tdpdtimeout=120\n"; print CONF "\tdpdaction=$lconfighash{$key}[27]\n";
- # Disable pfs ? - print CONF "\tpfs=". ($lconfighash{$key}[28] eq 'on' ? "yes\n" : "no\n"); - # Build Authentication details: LEFTid RIGHTid : PSK psk my $psk_line; if ($lconfighash{$key}[4] eq 'psk') { @@ -450,6 +409,12 @@ sub writeipsecfiles { close(SECRETS); }
+# Hook to regenerate the configuration files. +if ($ENV{"REMOTE_ADDR"} eq "") { + writeipsecfiles; + exit(0); +} + ### ### Save main settings ### @@ -466,29 +431,13 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SAVE_ERROR; }
- unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999 - $errormessage = $Lang::tr{'vpn mtu invalid'}; - goto SAVE_ERROR; - } - - unless ($cgiparams{'VPN_WATCH'} =~ /^(|off|on)$/ ) { - $errormessage = $Lang::tr{'invalid input'}; - goto SAVE_ERROR; - } - if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; goto SAVE_ERROR; }
- map ($vpnsettings{$_} = $cgiparams{$_}, - ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_DNS')); - $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; - $vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'}; - $vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; &General::writehash("${General::swroot}/vpn/settings", %vpnsettings); &writeipsecfiles(); @@ -1298,7 +1247,6 @@ END $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; @@ -1801,7 +1749,7 @@ END $confighash{$key}[9] = $cgiparams{'REMOTE_ID'}; $confighash{$key}[10] = $cgiparams{'REMOTE'}; $confighash{$key}[25] = $cgiparams{'REMARK'}; - $confighash{$key}[26] = $cgiparams{'INTERFACE'}; + $confighash{$key}[26] = ""; # Formerly INTERFACE $confighash{$key}[27] = $cgiparams{'DPD_ACTION'}; $confighash{$key}[29] = $cgiparams{'IKE_VERSION'};
@@ -1859,28 +1807,25 @@ END $cgiparams{'DPD_ACTION'} = 'restart'; }
- # Default IKE Version to V1 - if (! $cgiparams{'IKE_VERSION'}) { - $cgiparams{'IKE_VERSION'} = 'ikev1'; + # Default IKE Version to v2 + if (!$cgiparams{'IKE_VERSION'}) { + $cgiparams{'IKE_VERSION'} = 'ikev2'; }
- # Default is yes for 'pfs' - $cgiparams{'PFS'} = 'on'; - # ID are empty $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = '';
#use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes128|3des'; #[18]; + $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes128|3des'; #[18]; $cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '1536|1024'; #[20]; + $cgiparams{'IKE_GROUPTYPE'} = '2048'; #[20]; $cgiparams{'IKE_LIFETIME'} = '1'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes128|3des'; #[21]; + $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes128|3des'; #[21]; $cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22]; $cgiparams{'ESP_GROUPTYPE'} = ''; #[23]; $cgiparams{'ESP_KEYLIFE'} = '8'; #[17]; - $cgiparams{'COMPRESSION'} = 'off'; #[13]; + $cgiparams{'COMPRESSION'} = 'on'; #[13]; $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; $cgiparams{'VHOST'} = 'on'; #[14]; @@ -1903,12 +1848,6 @@ END $checked{'AUTH'}{'auth-dn'} = ''; $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
- $selected{'INTERFACE'}{'RED'} = ''; - $selected{'INTERFACE'}{'ORANGE'} = ''; - $selected{'INTERFACE'}{'GREEN'} = ''; - $selected{'INTERFACE'}{'BLUE'} = ''; - $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'"; - $selected{'DPD_ACTION'}{'clear'} = ''; $selected{'DPD_ACTION'}{'hold'} = ''; $selected{'DPD_ACTION'}{'restart'} = ''; @@ -1975,22 +1914,24 @@ END $blob = "<img src='/blob.gif' alt='*' />"; };
- print "<tr><td>$Lang::tr{'host ip'}:</td>"; - print "<td><select name='INTERFACE'>"; - print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED ($vpnsettings{'VPN_IP'})</option>"; - print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN ($netsettings{'GREEN_ADDRESS'})</option>"; - print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE ($netsettings{'BLUE_ADDRESS'})</option>" if ($netsettings{'BLUE_DEV'} ne ''); - print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE ($netsettings{'ORANGE_ADDRESS'})</option>" if ($netsettings{'ORANGE_DEV'} ne ''); - print "</select></td>"; print <<END + <tr> <td class='boldbase'>$Lang::tr{'remote host/ip'}: $blob</td> - <td><input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' /></td> - </tr><tr> - <td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td> - <td><input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' /></td> + <td> + <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' /> + </td> <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td> - <td><input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' /></td> - </tr><tr> + <td> + <input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' /> + </td> + </tr> + <tr> + <td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td> + <td colspan='3'> + <input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' /> + </td> + </tr> + <tr> <td class='boldbase'>$Lang::tr{'vpn local id'}:<br />($Lang::tr{'eg'} <tt>@xy.example.com</tt>)</td> <td><input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' /></td> <td class='boldbase'>$Lang::tr{'vpn remote id'}:</td> @@ -1999,22 +1940,18 @@ END </tr><td><br /></td><tr> <td>$Lang::tr{'vpn keyexchange'}:</td> <td><select name='IKE_VERSION'> - <option value='ikev1' $selected{'IKE_VERSION'}{'ikev1'}>IKEv1</option> <option value='ikev2' $selected{'IKE_VERSION'}{'ikev2'}>IKEv2</option> - </select></a> + <option value='ikev1' $selected{'IKE_VERSION'}{'ikev1'}>IKEv1</option> + </select> </td> <td>$Lang::tr{'dpd action'}:</td> <td><select name='DPD_ACTION'> <option value='clear' $selected{'DPD_ACTION'}{'clear'}>clear</option> <option value='hold' $selected{'DPD_ACTION'}{'hold'}>hold</option> <option value='restart' $selected{'DPD_ACTION'}{'restart'}>restart</option> - </select> <a href='http://www.openswan.com/docs/local/README.DPD'>?</a> + </select> </td> </tr><tr> -<!--http://www.openswan.com/docs/local/README.DPD - http://bugs.xelerance.com/view.php?id=156 - restart = clear + reinitiate connection ---> <td class='boldbase'>$Lang::tr{'remark title'} <img src='/blob.gif' alt='*' /></td> <td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td> </tr> @@ -2447,11 +2384,7 @@ EOF $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');
$cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); - $checked{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'} eq 'on' ? "checked='checked'" : '' ; - map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '', - ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_DNS')); - + $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
&Header::showhttpheaders(); &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); @@ -2475,13 +2408,6 @@ EOF </tr> END ; - print <<END - <tr> - <td class='base' nowrap='nowrap'>$Lang::tr{'override mtu'}: <img src='/blob.gif' alt='*' /></td> - <td ><input type='text' name='VPN_OVERRIDE_MTU' value='$cgiparams{'VPN_OVERRIDE_MTU'}' /></td> - </tr> -END - ; print <<END <tr> <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td> @@ -2492,13 +2418,6 @@ print <<END <td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td> </tr> </table> -<p>$Lang::tr{'vpn watch'}:<input type='checkbox' name='VPN_WATCH' $checked{'VPN_WATCH'} /></p> -<p>PLUTO DEBUG = -crypt:<input type='checkbox' name='DBG_CRYPT' $checked{'DBG_CRYPT'} />, -parsing:<input type='checkbox' name='DBG_PARSING' $checked{'DBG_PARSING'} />, -emitting:<input type='checkbox' name='DBG_EMITTING' $checked{'DBG_EMITTING'} />, -control:<input type='checkbox' name='DBG_CONTROL' $checked{'DBG_CONTROL'} />, -dns:<input type='checkbox' name='DBG_DNS' $checked{'DBG_DNS'} /> <hr /> <table width='100%'> <tr> diff --git a/lfs/strongswan b/lfs/strongswan index d0d533d..3d22086 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@
include Config
-VER = 4.6.4 +VER = 5.0.0
THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -32,6 +32,12 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP)
+ifeq "$(MACHINE)" "i586" + PADLOCK = --enable-padlock +else + PADLOCK = --disable-padlock +endif + ############################################################################### # Top-level Rules ############################################################################### @@ -40,7 +46,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4c0999c42faa0860ae0afc4f8efd9d04 +$(DL_FILE)_MD5 = c8b861305def7c0abae04f7bbefec212
install : $(TARGET)
@@ -73,18 +79,19 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch
- # Customize the welcome banner. - sed -i $(DIR_APP)/src/pluto/modecfg.c \ - -e 's/^#define.*DEFAULT_UNITY_BANNER.*/#define DEFAULT_UNITY_BANNER "Welcome to IPFire - An Open Source Firewall Solution.\n"/' - - cd $(DIR_APP) && ./configure --prefix="/usr" --sysconfdir="/etc" \ - --enable-cisco-quirks \ - --enable-curl \ - --enable-nat-transport + cd $(DIR_APP) && ./configure \ + --prefix="/usr" \ + --sysconfdir="/etc" \ + --enable-curl \ + --enable-openssl \ + $(PADLOCK)
cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install
+ # Remove all library files we don't want or need. + rm -vf /usr/lib/ipsec/plugins/*.{,l}a + -rm -rfv /etc/rc*.d/*ipsec cd $(DIR_SRC) && cp src/initscripts/init.d/ipsec /etc/rc.d/init.d/ipsec rm -f /etc/ipsec.conf /etc/ipsec.secrets diff --git a/src/initscripts/init.d/tmpfs b/src/initscripts/init.d/tmpfs index 0e5a1e1..848dec6 100644 --- a/src/initscripts/init.d/tmpfs +++ b/src/initscripts/init.d/tmpfs @@ -43,10 +43,6 @@ case "$1" in mkdir -p /var/run/mysql chown mysql:mysql /var/run/mysql fi - if [ ! -e /var/run/pluto ]; then - mkdir -p /var/run/pluto - chmod 700 /var/run/pluto - fi if [ ! -e /var/run/saslauthd ]; then mkdir -p /var/run/saslauthd fi diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 0b05177..65a96e0 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -78,7 +78,6 @@ void ipsec_norules() { safe_system("/sbin/iptables -F IPSECINPUT"); safe_system("/sbin/iptables -F IPSECFORWARD"); safe_system("/sbin/iptables -F IPSECOUTPUT"); - }
/* @@ -87,8 +86,7 @@ void ipsec_norules() { int decode_line (char *s, char **key, char **name, - char **type, - char **interface + char **type ) { int count = 0; *key = NULL; @@ -108,8 +106,6 @@ int decode_line (char *s, *name = result; if (count == 4) *type = result; - if (count == 27) - *interface = result; count++; result = strsep(&s, ","); } @@ -128,11 +124,6 @@ int decode_line (char *s, return 0; }
- if (! (strcmp(*interface, "RED") == 0 || strcmp(*interface, "GREEN") == 0 || - strcmp(*interface, "ORANGE") == 0 || strcmp(*interface, "BLUE") == 0)) { - fprintf(stderr, "Bad interface name: %s\n", *interface); - return 0; - } //it's a valid & active line return 1; } @@ -140,69 +131,48 @@ int decode_line (char *s, /* issue ipsec commmands to turn on connection 'name' */ -void turn_connection_on (char *name, char *type) { -/* - Rename the connection and run ipsec update and rename it back to readd - a deleted connection. Because ipsec update ignores connection that have - not changed since last load. -*/ +void turn_connection_on(char *name, char *type) { + /* + * To bring up a connection, we need to reload the configuration + * and issue ipsec up afterwards. To make sure the connection + * is not established from the start, we bring it down in advance. + */ char command[STRING_SIZE]; - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, - "sed -i -e 's|^conn %s$|conn %s-renamed|g' /var/ipfire/vpn/ipsec.conf >/dev/null", name, name); - safe_system(command);
- // Down and delete IKEv2 Tunnel before ipsec update + // Bring down the connection (if established). snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec stroke down %s >/dev/null", name); + "/usr/sbin/ipsec down %s >/dev/null", name); safe_system(command); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec stroke delete %s >/dev/null", name); - safe_system(command); - - safe_system("/etc/rc.d/init.d/ipsec update >/dev/null");
- sleep(1); + // Reload the configuration into the daemon. + safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
- // Back to original name - snprintf(command, STRING_SIZE - 1, - "sed -i -e 's|^conn %s-renamed$|conn %s|g' /var/ipfire/vpn/ipsec.conf >/dev/null", name, name); - safe_system(command); - - // Down and delete IKEv2 Tunnel before ipsec update - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec stroke down %s-renamed >/dev/null", name); - safe_system(command); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec stroke delete %s-renamed >/dev/null", name); - safe_system(command); - - safe_system("/etc/rc.d/init.d/ipsec update >/dev/null"); + // Bring the connection up again. + snprintf(command, STRING_SIZE - 1, + "/usr/sbin/ipsec up %s >/dev/null", name); + safe_system(command); } + /* issue ipsec commmands to turn off connection 'name' */ void turn_connection_off (char *name) { + /* + * To turn off a connection, all SAs must be turned down. + * After that, the configuration must be reloaded. + */ char command[STRING_SIZE]; - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec whack --delete --name %s >/dev/null", name); - safe_system(command); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec stroke down %s >/dev/null", name); - safe_system(command); + + // Bring down the connection. snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec stroke delete %s >/dev/null", name); + "/usr/sbin/ipsec down %s >/dev/null", name); safe_system(command);
- safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null"); - safe_system("/usr/sbin/ipsec stroke rereadall >/dev/null"); - + // Reload, so the connection is dropped. + safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); }
- int main(int argc, char *argv[]) { - char configtype[STRING_SIZE]; char redtype[STRING_SIZE] = ""; struct keyvalue *kv = NULL; @@ -218,26 +188,15 @@ int main(int argc, char *argv[]) {
if (strcmp(argv[1], "I") == 0) { - safe_system("/usr/sbin/ipsec whack --status"); - safe_system("/usr/sbin/ipsec stroke status"); + safe_system("/usr/sbin/ipsec status"); exit(0); }
if (strcmp(argv[1], "R") == 0) { - safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null"); - safe_system("/usr/sbin/ipsec stroke rereadall >/dev/null"); + safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); exit(0); }
- /* Get vpnwatch pid */ - - - if ((argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) { - safe_system("kill -9 $(cat /var/run/vpn-watch.pid)"); - safe_system("unlink /var/run/vpn-watch.pid"); - close(file); - } - /* FIXME: workaround for pclose() issue - still no real idea why * this is happening */ signal(SIGCHLD, SIG_DFL); @@ -245,16 +204,10 @@ int main(int argc, char *argv[]) { /* handle operations that doesn't need start the ipsec system */ if (argc == 2) { if (strcmp(argv[1], "D") == 0) { - /* Only shutdown pluto if it really is running */ - /* Get pluto pid */ - if (file = fopen("/var/run/pluto.pid", "r")) { - safe_system("/etc/rc.d/init.d/ipsec stop 2> /dev/null >/dev/null"); - close(file); - } + safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1"); ipsec_norules(); exit(0); } - }
/* read vpn config */ @@ -300,97 +253,69 @@ int main(int argc, char *argv[]) { char if_blue[STRING_SIZE] = ""; char s[STRING_SIZE];
- if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) { - fprintf(stderr, "Couldn't open vpn settings file"); - exit(1); - } - while (fgets(s, STRING_SIZE, file) != NULL) { - char *key; - char *name; - char *type; - char *interface; - if (!decode_line(s,&key,&name,&type,&interface)) - continue; - /* search interface */ - if (!enable_red && strcmp (interface, "RED") == 0) { - // when RED is up, find interface name in special file - FILE *ifacefile = NULL; - if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) { - if (fgets(if_red, STRING_SIZE, ifacefile)) { - if (if_red[strlen(if_red) - 1] == '\n') - if_red[strlen(if_red) - 1] = '\0'; - } - fclose (ifacefile); - - if (VALID_DEVICE(if_red)) - enable_red+=2; // present and running - } - } - - if (!enable_green && strcmp (interface, "GREEN") == 0) { - enable_green = 1; - findkey(kv, "GREEN_DEV", if_green); - if (VALID_DEVICE(if_green)) - enable_green++; - else - fprintf(stderr, "IPSec enabled on green but green interface is invalid or not found\n"); + // when RED is up, find interface name in special file + FILE *ifacefile = NULL; + if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) { + if (fgets(if_red, STRING_SIZE, ifacefile)) { + if (if_red[strlen(if_red) - 1] == '\n') + if_red[strlen(if_red) - 1] = '\0'; } + fclose (ifacefile);
- if (!enable_orange && strcmp (interface, "ORANGE") == 0) { - enable_orange = 1; - findkey(kv, "ORANGE_DEV", if_orange); - if (VALID_DEVICE(if_orange)) - enable_orange++; - else - fprintf(stderr, "IPSec enabled on orange but orange interface is invalid or not found\n"); - } + if (VALID_DEVICE(if_red)) + enable_red++; + }
- if (!enable_blue && strcmp (interface, "BLUE") == 0) { - enable_blue++; - findkey(kv, "BLUE_DEV", if_blue); - if (VALID_DEVICE(if_blue)) - enable_blue++; - else - fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n"); + // Check if GREEN is enabled. + findkey(kv, "GREEN_DEV", if_green); + if (VALID_DEVICE(if_green)) + enable_green++; + else + fprintf(stderr, "IPSec enabled on green but green interface is invalid or not found\n"); + + // Check if ORANGE is enabled. + findkey(kv, "ORANGE_DEV", if_orange); + if (VALID_DEVICE(if_orange)) + enable_orange++; + else + fprintf(stderr, "IPSec enabled on orange but orange interface is invalid or not found\n"); + + // Check if BLUE is enabled. + findkey(kv, "BLUE_DEV", if_blue); + if (VALID_DEVICE(if_blue)) + enable_blue++; + else + fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n");
- } - } - fclose(file); freekeyvalues(kv);
- // do nothing if something is in error condition - if ((enable_red==1) || (enable_green==1) || (enable_orange==1) || (enable_blue==1) ) - exit(1); - // exit if nothing to do - if ( (enable_red+enable_green+enable_orange+enable_blue) == 0 ) + if ((enable_red+enable_green+enable_orange+enable_blue) == 0) exit(0);
// open needed ports - // todo: read a nat_t indicator to allow or not openning UDP/4500 - if (enable_red==2) + if (enable_red > 0) open_physical(if_red, 4500);
- if (enable_green==2) + if (enable_green > 0) open_physical(if_green, 4500);
- if (enable_orange==2) + if (enable_orange > 0) open_physical(if_orange, 4500);
- if (enable_blue==2) + if (enable_blue > 0) open_physical(if_blue, 4500);
// start the system if ((argc == 2) && strcmp(argv[1], "S") == 0) { - safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null"); - safe_system("/usr/local/bin/vpn-watch &"); + safe_system("/usr/sbin/ipsec restart >/dev/null"); exit(0); }
// it is a selective start or stop // second param is only a number 'key' if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) { - fprintf(stderr, "Bad arg\n"); + fprintf(stderr, "Bad arg: %s\n", argv[2]); usage(); exit(1); } @@ -404,26 +329,17 @@ int main(int argc, char *argv[]) { char *key; char *name; char *type; - char *interface; - if (!decode_line(s,&key,&name,&type,&interface)) + if (!decode_line(s,&key,&name,&type)) continue;
- // start/stop a vpn if belonging to specified interface - if (strcmp(argv[1], interface) == 0 ) { - if (strcmp(argv[2], "0")==0) - turn_connection_off (name); - else - turn_connection_on (name, type); - continue; - } // is it the 'key' requested ? if (strcmp(argv[2], key) != 0) continue; + // Start or Delete this Connection if (strcmp(argv[1], "S") == 0) turn_connection_on (name, type); - else - if (strcmp(argv[1], "D") == 0) + else if (strcmp(argv[1], "D") == 0) turn_connection_off (name); else { fprintf(stderr, "Bad command\n"); @@ -431,5 +347,6 @@ int main(int argc, char *argv[]) { } } fclose(file); + return 0; } diff --git a/src/scripts/vpn-watch b/src/scripts/vpn-watch deleted file mode 100755 index 7eae873..0000000 --- a/src/scripts/vpn-watch +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/perl -################################################## -##### VPN-Watch.pl Version 0.7 ##### -################################################## -# # -# VPN-Watch is part of the IPFire Firewall # -# # -################################################## - -use strict; - -require '/var/ipfire/general-functions.pl'; -my @vpnsettings; -my $i = 0; -my $file = "/var/run/vpn-watch.pid"; -my $debug = 0; - -if ( -e $file ){ - logger("There my be another vpn-watch runnning because $file exists, vpn-watch will try kill the process."); - open(FILE, "<$file"); - my $PID = <FILE>; - close(FILE); - system("kill -9 $PID"); - } - -system("echo $$ > $file"); -my $round=0; -while ( $i == 0){ - if ($debug){logger("We will wait 60 seconds before next action.");} - sleep(60); - - $round++; - - # Reset roundcounter after 10 min. To do established check. - if ($round > 9) { $round=0; } - - if (open(FILE, "<${General::swroot}/vpn/config")) { @vpnsettings = <FILE>; - close(FILE); - unless(@vpnsettings) {exit 1;} - } - -my $status = `ipsec status`; -foreach (@vpnsettings){ - my @settings = split(/,/,$_); - - chomp($settings[30]); - if ($settings[27] ne 'RED'){next;} - if ($settings[4] ne 'net'){next;} - if ($settings[1] ne 'on'){next;}chomp($settings[29]); - if ($settings[29] ne 'on'){next;} - - my $remotehostname = $settings[11]; - - if ($debug){logger("Checking connection to $remotehostname.");} - - my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print $3}' | tr -d '()' | tr -d ':'`;chomp($remoteip); - if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}} - my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`; - my $established= `echo "$status" | grep '$settings[2]' | grep -e 'erouted;' -e 'INSTALLED'`; - my $known= `echo "$status" | grep '$settings[2]'`; - - if ( $ipmatch eq '' && $known ne '' ){ - logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec."); - system("/usr/local/bin/ipsecctrl S $settings[0]"); - $round=0; - } - - if ($debug){logger("Round=".$round." and established=".$established);} - - if ( ($round == 0) && ($established eq '')) { - logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec."); - system("/usr/local/bin/ipsecctrl S $settings[0]"); - $round=0; - - } - } - if ($debug){logger("All connections may be fine nothing was done.");} -} - -sub logger { - my $log = shift; - system("logger -t vpnwatch "$log""); -}
hooks/post-receive -- IPFire 2.x development tree