#!/bin/sh
# IPsec startup and shutdown command
# Copyright (C) 1998, 1999, 2001  Henry Spencer.
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: _realsetup.in,v 1.29 2004/06/09 03:00:41 mcr Exp $

me='ipsec setup'		# for messages

# Misc. paths (some of this should perhaps be overrideable from ipsec.conf).
plutopid=/var/run/pluto.pid
subsyslock=/var/lock/subsys/ipsec
lock=/var/run/ipsec_setup.pid
info=/var/run/ipsec.info
sysflags=/proc/sys/net/ipsec
modules=/proc/modules
ipforward=/proc/sys/net/ipv4/ip_forward
ipsecversion=/proc/net/ipsec_version
kamepfkey=/proc/net/pfkey

# make sure output of (e.g.) ifconfig is in English
unset LANG LANGUAGE LC_ALL LC_MESSAGES

# check we were called properly
if test " $IPSEC_confreadsection" != " setup"
then
	echo "$me: $0 must be called by ipsec_setup" >&2
	exit 1
fi
# defaults for "config setup" items

IPSECinterfaces=${IPSECinterfaces:-%defaultroute}
	if test " $IPSECinterfaces" = " %none" ; then IPSECinterfaces= ; fi
# IPSECforwardcontrol	"no"
# IPSECsyslog	"daemon.error"
# IPSECklipsdebug	"none"
# IPSECplutodebug	"none"
# IPSECdumpdir	"" (no dump)
# IPSECmanualstart	""
# IPSECpluto	"yes"
IPSECplutowait=${IPSECplutowait:-no}
# IPSECprepluto	""
# IPSECpostpluto	""
# IPSECfragicmp	"yes"
# IPSEChidetos	"yes"
IPSECrp_filter=${IPSECrp_filter:-0}
IPSECuniqueids=${IPSECuniqueids:-yes}
IPSECcrlcheckinterval=${IPSECcrlcheckinterval:-0}
# IPSECoverridemtu	""

# Shall we trace?
execute="true"
display="false"
for i in $IPSEC_setupflags
do
	case "$i" in
	"--showonly")	execute="false" ; display=true ;;
	"--show")	display=true ;;
	esac
done

if $display
then
	echo "	" PATH="$PATH"
fi

perform() {
	if $display
	then
		echo "	" "$*"
	fi

	if $execute
	then
		eval "$*"
	fi
}

# function to set up manually-keyed connections
manualconns() {
	if test " $IPSECmanualstart" != " "
	then
		for tu in $IPSECmanualstart
		do
			perform ipsec manual --up $tu
		done
	fi

	# search for things to "ipsec manual --up": auto == "manual"
	eval `ipsec _confread --varprefix MANUALSTART --search auto manual`
	if test " $MANUALSTART_confreadstatus" != " "
	then
		echo "auto=manual search: $MANUALSTART_confreadstatus"
		echo "unable to determine what conns to manual --up; none done"
	elif test " $MANUALSTART_confreadnames" != " "
	then
		for tu in $MANUALSTART_confreadnames
		do
			perform ipsec manual --up $tu
		done
	fi
}

# for no-stdout logging:
LOGONLY="logger -p $IPSECsyslog -t ipsec_setup"

# What an ugly string.
# Must be a string, not a function, because it is nested
# within another sequence (for plutorun).
# Luckily there are NO substitutions in it.
KILLKLIPS='ifl=` ifconfig | sed -n -e "/^ipsec/s/ .*//p" ` ;
	test "X$ifl" != "X" &&
	for i in  $ifl ;
	do
		ifconfig $i down ;
		ipsec tncfg --detach --virtual $i ;
	done ;
	test -r /proc/net/ipsec_klipsdebug && ipsec klipsdebug --none ;
	ipsec eroute --clear ;
	ipsec spi --clear ;
	lsmod 2>&1 | grep "^ipsec" > /dev/null && rmmod ipsec'

if test -f $kamepfkey
then
	KILLKLIPS='if type setkey > /dev/null 2>&1 ;
		then
			setkey -F ;
			setkey -FP ;
		fi'
fi



# do it
case "$1" in
  start|--start|_autostart)
	# First, does it seem to be going already?
	perform test ! -f $lock "||" "{" \
		echo "\"Openswan IPsec apparently already running, start aborted\"" ";" \
		exit 1 ";" \
		"}"

	# announcement
	# (Warning, changes to this log message may affect barf.)
	version="`ipsec --version | awk 'NR == 1 { print $(3) }' | sed -e 's/^U\(.*\)\/K(.*/\1/'`"
	case "$1" in
	start|--start)	perform echo "\"Starting Openswan IPsec $version...\""	;;
	_autostart)	perform echo "\"Restarting Openswan IPsec $version...\""	;;
	esac

	# preliminaries
	perform rm -f $lock

	for f in /dev/random /dev/urandom
	do
		perform test -r $f "||" "{" \
			echo "\"...unable to start Openswan IPsec, no $f!\"" ";" \
			exit 1 ";" \
			"}"
	    done

	# the meaning of $$ at a different runtime is questionable!
	perform echo '$$' ">" $lock
	perform test -s $lock "||" "{" \
		echo "\"...unable to create $lock, aborting start!\"" ";" \
		rm -f $lock ";" \
		exit 1 ";" \
		"}"

	perform ">" $info

	# here we go
	perform ipsec _startklips \
			--info $info \
			--debug "\"$IPSECklipsdebug\"" \
			--omtu "\"$IPSECoverridemtu\"" \
			--fragicmp "\"$IPSECfragicmp\"" \
			--hidetos "\"$IPSEChidetos\"" \
			--rpfilter "\"$IPSECrp_filter\"" \
			--log "\"$IPSECsyslog\"" \
			$IPSECinterfaces "||" \
		"{" rm -f $lock ";" exit 1 ";" "}"

	perform test -f $ipsecversion "||" \
		test -f $kamepfkey "||" "{" \
		echo "\"OOPS, should have aborted!  Broken shell!\"" ";" \
		exit 1 ";" \
		"}"

	# misc pre-Pluto setup

	perform test -d `dirname $subsyslock` "&&" touch $subsyslock

	if test " $IPSECforwardcontrol" = " yes"
	then
		perform grep '"^0"' $ipforward ">" /dev/null "&&" "{" \
			echo "\"enabling IP forwarding:\"" "|" $LOGONLY ";" \
			echo "\"ipforwardingwas=$fw\"" ">>" $info ";" \
			echo 1 ">" $ipforward ";" \
			"}"
	fi
	manualconns

	plutorestartoncrash=""
	case "$IPSECplutorestartoncrash" in
	    true|[yY]|yes|restart) plutorestartoncrash="--plutorestartoncrash true";;
	    false|[nN]|no|die) plutorestartoncrash="--plutorestartoncrash false" ;;
        esac

	# Pluto
	case "$1" in
	start|--start)	re=	;;
	_autostart)	re=--re	;;
	esac
	if test " $IPSECpluto" != " no"
	then
		perform ipsec _plutorun $re \
			--debug "\"$IPSECplutodebug\"" \
			--uniqueids "\"$IPSECuniqueids\"" \
			--nocrsend "\"$IPSECnocrsend\"" \
			--strictcrlpolicy "\"$IPSECstrictcrlpolicy\"" \
			--nat_traversal "\"$IPSECnat_traversal\"" \
			--keep_alive "\"$IPSECkeep_alive\"" \
			--force_keepalive "\"$IPSECforce_keepalive\"" \
			--disable_port_floating "\"$IPSECdisable_port_floating\"" \
			--virtual_private "\"$IPSECvirtual_private\"" \
			--crlcheckinterval "\"$IPSECcrlcheckinterval\"" \
                        --ocspuri "\"$IPSECocspuri\"" \
			--dump "\"$IPSECdumpdir\"" \
			--opts "\"$IPSECplutoopts\"" \
			--stderrlog "\"$IPSECplutostderrlog\"" \
			--wait "\"$IPSECplutowait\"" \
			--pre "\"$IPSECprepluto\"" \
			--post "\"$IPSECpostpluto\"" \
			--log "\"$IPSECsyslog\"" $plutorestartoncrash \
			--pid "\"$plutopid\"" "||" "{" \
		    $KILLKLIPS ";" \
		    rm -f $lock ";" \
		    exit 1 ";" \
		    "}"
	fi

	# done!
	perform echo "\"...Openswan IPsec started\"" "|" $LOGONLY
	;;

  stop|--stop|_autostop)		# _autostop is same as stop
	# Shut things down.
	perform echo "\"Stopping Openswan IPsec...\""
	perform \
		if test -r $lock ";" \
		then \
			status=0 ";" \
			. $info ";" \
		else \
			echo "\"stop ordered, but IPsec does not appear to be running!\"" ";" \
			echo "\"doing cleanup anyway...\"" ";" \
			status=1 ";" \
		fi
	if test " $IPSECforwardcontrol" = " yes"
	then
		perform test "\"X\$ipforwardingwas\"" = "\"X0\"" "&&" "{" \
			echo "\"disabling IP forwarding:\"" "|" $LOGONLY ";" \
			echo 0 ">" $ipforward ";" \
			"}"
	fi

	perform test -f $plutopid "&&" "{" \
		if ps -p '`' cat $plutopid '`' ">" /dev/null ";" \
		then \
			ipsec whack --shutdown "|" grep -v "^002" ";" \
			sleep 1 ";" \
			if test -s $plutopid ";" \
			then \
				echo "\"Attempt to shut Pluto down failed!  Trying kill:\"" ";" \
				kill '`' cat $plutopid '`' ";" \
				sleep 5 ";" \
			fi ";" \
		else \
			echo "\"Removing orphaned $plutopid:\"" ";" \
		fi ";" \
		rm -f $plutopid ";" \
		"}"

	perform $KILLKLIPS

	perform test -d `dirname $subsyslock` "&&" rm -f $subsyslock

	perform rm -f $info $lock
	perform echo "...Openswan IPsec stopped" "|" $LOGONLY
	perform exit \$status
	;;

  status|--status)
	if test " $IPSEC_setupflags" != " "
	then
		echo "$me $1 does not support $IPSEC_setupflags"
		exit 1
	fi

	if test -f $info
	then
		hasinfo=yes
	fi

	if test -f $lock
	then
		haslock=yes
	fi

	if test -f $subsyslock
	then
		hassublock=yes
	fi

	if test -s $plutopid
	then
		if ps -p `cat $plutopid` >/dev/null
		then
			plutokind=normal
		elif ps -C pluto >/dev/null
		then
			plutokind=illicit
		fi
	elif ps -C pluto >/dev/null
	then
		plutokind=orphaned
	else
		plutokind=no
	fi

	if test -r /proc/net/ipsec_eroute
	then
		if test " `wc -l </proc/net/ipsec_eroute`" -gt 0
		then
			eroutes=`wc -l </proc/net/ipsec_eroute|sed s/\ //g`
		fi
	fi

	if test -r $ipsecversion
	then
		klips=yes
	elif test -r $modules
	then
		klips=maybe
	else
		klips=none
	fi
		
	if test "$haslock"
	then
		echo "IPsec running"
		# might not be a subsystem lock dir, ignore that issue
		if test "$plutokind" = "normal" -a "$klips" = "yes" -a "$hasinfo"
		then
			echo "pluto pid `cat $plutopid`"
                        case "$eroutes" in
                        0)      echo "No tunnels up"    ;;
                        *)      echo "$eroutes tunnels up"      ;;
                        esac
			exit 0
		fi
		echo "but..."
		if test "$plutokind" != "normal"
		then
			echo "$plutokind Pluto running!"
		fi
		if test ! "$hasinfo"
		then
			echo "$info file missing!"
		fi
		case $klips in
		maybe)	echo "KLIPS module is not loaded!"	;;
		none)	echo "no KLIPS in kernel!"		;;
		esac
		if test "$eroutes"
		then
			if test "$eroutes" -gt 0
			then
				echo "some eroutes exist"
			fi
		fi
		exit 1
	else
		echo "IPsec stopped"
		if test ! "$hassublock" -a ! "$hasinfo" -a "$plutokind" = "no" \
								-a ! "$eroutes"
		then
			exit 0
		fi
		echo "but..."
		if test "$hassublock"
		then
			echo "has subsystem lock ($subsyslock)!"
		fi
		if test "$hasinfo"
		then
			echo "has $info file!"
		fi
		if test "$plutokind" != "normal"
		then
			echo "$plutokind Pluto is running!"
		fi
		if test "$eroutes"
		then
			echo "some eroutes exist!"
		fi
		exit 1
	fi
	;;

  --version)
	if test " $IPSEC_setupflags" != " "
	then
		echo "$me $1 does not support $IPSEC_setupflags"
		exit 1
	fi

	echo "$me $IPSEC_VERSION"
	exit 0
	;;

  --help)
	if test " $IPSEC_setupflags" != " "
	then
		echo "$me $1 does not support $IPSEC_setupflags"
		exit 1
	fi

	echo "Usage: $me {--start|--stop|--restart|--status}"
	exit 0
	;;

  *)
	echo "Usage: $me {--start|--stop|--restart|--status}" >&2
	exit 2
esac

exit 0
