1*325ce30bSDavid van Moolenbroek#!/bin/sh 2*325ce30bSDavid van Moolenbroek# 3*325ce30bSDavid van Moolenbroek# $NetBSD: ipsec,v 1.13 2013/09/12 19:52:50 christos Exp $ 4*325ce30bSDavid van Moolenbroek# 5*325ce30bSDavid van Moolenbroek 6*325ce30bSDavid van Moolenbroek# PROVIDE: ipsec 7*325ce30bSDavid van Moolenbroek# REQUIRE: root bootconf mountcritlocal tty 8*325ce30bSDavid van Moolenbroek# BEFORE: DAEMON 9*325ce30bSDavid van Moolenbroek 10*325ce30bSDavid van Moolenbroek$_rc_subr_loaded . /etc/rc.subr 11*325ce30bSDavid van Moolenbroek 12*325ce30bSDavid van Moolenbroekname="ipsec" 13*325ce30bSDavid van Moolenbroekrcvar=$name 14*325ce30bSDavid van Moolenbroekstart_precmd="ipsec_prestart" 15*325ce30bSDavid van Moolenbroekstart_cmd="ipsec_start" 16*325ce30bSDavid van Moolenbroekstop_precmd="test -f /etc/ipsec.conf" 17*325ce30bSDavid van Moolenbroekstop_cmd="ipsec_stop" 18*325ce30bSDavid van Moolenbroekreload_cmd="ipsec_reload" 19*325ce30bSDavid van Moolenbroekextra_commands="reload" 20*325ce30bSDavid van Moolenbroek 21*325ce30bSDavid van Moolenbroekipsec_prestart() 22*325ce30bSDavid van Moolenbroek{ 23*325ce30bSDavid van Moolenbroek if [ ! -f /etc/ipsec.conf ]; then 24*325ce30bSDavid van Moolenbroek warn "/etc/ipsec.conf not readable; ipsec start aborted." 25*325ce30bSDavid van Moolenbroek 26*325ce30bSDavid van Moolenbroek stop_boot 27*325ce30bSDavid van Moolenbroek return 1 28*325ce30bSDavid van Moolenbroek fi 29*325ce30bSDavid van Moolenbroek return 0 30*325ce30bSDavid van Moolenbroek} 31*325ce30bSDavid van Moolenbroek 32*325ce30bSDavid van Moolenbroekipsec_getip() { 33*325ce30bSDavid van Moolenbroek ifconfig $1 | while read what address rest; do 34*325ce30bSDavid van Moolenbroek case "$what" in 35*325ce30bSDavid van Moolenbroek inet) echo "$address";; 36*325ce30bSDavid van Moolenbroek esac 37*325ce30bSDavid van Moolenbroek done 38*325ce30bSDavid van Moolenbroek} 39*325ce30bSDavid van Moolenbroek 40*325ce30bSDavid van Moolenbroekipsec_load() { 41*325ce30bSDavid van Moolenbroek if [ -z "$1" ]; then 42*325ce30bSDavid van Moolenbroek /sbin/setkey -f /etc/ipsec.conf 43*325ce30bSDavid van Moolenbroek else 44*325ce30bSDavid van Moolenbroek sed -e "s/@LOCAL_ADDR@/$1/" < /etc/ipsec.conf | \ 45*325ce30bSDavid van Moolenbroek /sbin/setkey -f - 46*325ce30bSDavid van Moolenbroek fi 47*325ce30bSDavid van Moolenbroek} 48*325ce30bSDavid van Moolenbroek 49*325ce30bSDavid van Moolenbroekipsec_configure() { 50*325ce30bSDavid van Moolenbroek while true; do 51*325ce30bSDavid van Moolenbroek local addr="$(ipsec_getip "$ipsec_flags")" 52*325ce30bSDavid van Moolenbroek case "$addr" in 53*325ce30bSDavid van Moolenbroek '') sleep 1;; 54*325ce30bSDavid van Moolenbroek "0.0.0.0") sleep 1;; 55*325ce30bSDavid van Moolenbroek *) ipsec_load "$addr"; return;; 56*325ce30bSDavid van Moolenbroek esac 57*325ce30bSDavid van Moolenbroek done & 58*325ce30bSDavid van Moolenbroek} 59*325ce30bSDavid van Moolenbroek 60*325ce30bSDavid van Moolenbroekipsec_start() 61*325ce30bSDavid van Moolenbroek{ 62*325ce30bSDavid van Moolenbroek echo "Installing ipsec manual keys/policies." 63*325ce30bSDavid van Moolenbroek if [ -n "$ipsec_flags" ]; then 64*325ce30bSDavid van Moolenbroek ipsec_configure 65*325ce30bSDavid van Moolenbroek else 66*325ce30bSDavid van Moolenbroek ipsec_load 67*325ce30bSDavid van Moolenbroek fi 68*325ce30bSDavid van Moolenbroek} 69*325ce30bSDavid van Moolenbroek 70*325ce30bSDavid van Moolenbroekipsec_stop() 71*325ce30bSDavid van Moolenbroek{ 72*325ce30bSDavid van Moolenbroek echo "Clearing ipsec manual keys/policies." 73*325ce30bSDavid van Moolenbroek 74*325ce30bSDavid van Moolenbroek # still not 100% sure if we would like to do this. 75*325ce30bSDavid van Moolenbroek # it is very questionable to do this during shutdown session, since 76*325ce30bSDavid van Moolenbroek # it can hang any of remaining IPv4/v6 session. 77*325ce30bSDavid van Moolenbroek # 78*325ce30bSDavid van Moolenbroek /sbin/setkey -F 79*325ce30bSDavid van Moolenbroek /sbin/setkey -FP 80*325ce30bSDavid van Moolenbroek} 81*325ce30bSDavid van Moolenbroek 82*325ce30bSDavid van Moolenbroekipsec_reload() 83*325ce30bSDavid van Moolenbroek{ 84*325ce30bSDavid van Moolenbroek echo "Reloading ipsec manual keys/policies." 85*325ce30bSDavid van Moolenbroek ipsec_stop 86*325ce30bSDavid van Moolenbroek ipsec_start 87*325ce30bSDavid van Moolenbroek} 88*325ce30bSDavid van Moolenbroek 89*325ce30bSDavid van Moolenbroekload_rc_config $name 90*325ce30bSDavid van Moolenbroekrun_rc_command "$1" 91