[1108] | 1 | #!/bin/bash |
---|
| 2 | PATH=/sbin:/usr/sbin/:/bin:/usr/bin |
---|
| 3 | |
---|
| 4 | cd /etc/sysconfig/network-scripts |
---|
[2573] | 5 | . /etc/sysconfig/network-scripts/network-functions |
---|
[1108] | 6 | |
---|
| 7 | CONFIG=$1 |
---|
| 8 | [ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} |
---|
| 9 | source_config |
---|
| 10 | |
---|
| 11 | if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then |
---|
| 12 | KEYING=manual |
---|
| 13 | fi |
---|
| 14 | |
---|
| 15 | |
---|
| 16 | if [ -n "$IKE_PSK" ]; then |
---|
| 17 | KEYING=automatic |
---|
| 18 | IKE_METHOD=PSK |
---|
| 19 | fi |
---|
| 20 | |
---|
| 21 | if [ -n "$IKE_CERTFILE" ]; then |
---|
| 22 | KEYING=automatic |
---|
| 23 | IKE_METHOD=X509 |
---|
| 24 | fi |
---|
| 25 | |
---|
| 26 | if [ -n "$IKE_PEER_CERTFILE" ]; then |
---|
| 27 | KEYING=automatic |
---|
| 28 | IKE_METHOD=X509 |
---|
| 29 | fi |
---|
| 30 | |
---|
| 31 | if [ -n "$IKE_DNSSEC" ]; then |
---|
| 32 | KEYING=automatic |
---|
| 33 | IKE_METHOD=X509 |
---|
| 34 | fi |
---|
| 35 | if [ -n "$RSA_KEY" ]; then |
---|
| 36 | KEYING=automatic |
---|
| 37 | IKE_METHOD=RSA |
---|
| 38 | fi |
---|
| 39 | |
---|
| 40 | [ -n "$IKE_METHOD" ] && KEYING=automatic |
---|
| 41 | [ -z "$KEYING" ] && KEYING=manual |
---|
| 42 | |
---|
| 43 | if [ -z "$SRC" ]; then |
---|
| 44 | SRC=`ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|"` |
---|
| 45 | fi |
---|
| 46 | |
---|
| 47 | if [ -n "$SRCNET" -o -n "$DSTNET" ]; then |
---|
| 48 | MODE=tunnel |
---|
| 49 | [ -z "$SRCNET" ] && SRCNET="$SRC/32" |
---|
| 50 | [ -z "$DSTNET" ] && DSTNET="$DST/32" |
---|
| 51 | SPD_SRC=$SRCNET |
---|
| 52 | SPD_DST=$DSTNET |
---|
| 53 | # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication |
---|
| 54 | if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \ |
---|
| 55 | && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \ |
---|
| 56 | = "NETWORK=${DSTNET%%/*}" ]; then |
---|
| 57 | EXCLUDE_SRCNET=yes |
---|
| 58 | fi |
---|
| 59 | [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"` |
---|
| 60 | ip route del to $DSTNET via $SRCGW src $SRCGW |
---|
| 61 | else |
---|
| 62 | MODE=transport |
---|
| 63 | SPD_SRC=$SRC |
---|
| 64 | SPD_DST=$DST |
---|
| 65 | unset EXCLUDE_SRCNET |
---|
| 66 | fi |
---|
| 67 | |
---|
| 68 | setkey -c << EOF |
---|
| 69 | ${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} |
---|
| 70 | ${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} |
---|
| 71 | ${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;} |
---|
| 72 | ${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;} |
---|
| 73 | spddelete $SPD_SRC $SPD_DST any -P out; |
---|
| 74 | spddelete $SPD_DST $SPD_SRC any -P in; |
---|
| 75 | ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} |
---|
| 76 | ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} |
---|
| 77 | EOF |
---|
| 78 | |
---|
| 79 | if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then |
---|
| 80 | racoontmp=`mktemp /etc/racoon/racoon.XXXXXX` |
---|
| 81 | grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp |
---|
| 82 | mv -f $racoontmp /etc/racoon/racoon.conf |
---|
| 83 | pidof -x /usr/sbin/racoon > /dev/null 2>&1 && killall -HUP /usr/sbin/racoon |
---|
| 84 | fi |
---|
| 85 | |
---|
| 86 | /etc/sysconfig/network-scripts/ifdown-post $CONFIG |
---|