strongswan/strongswan.init.in
Jan Engelhardt cf0313df27 - rename -hmac subpackage to -fips because it isn't providing
the hmac files, it provides the configuration drop in to
  enforce fips mode.

- Removes deprecated SysV support
- Added prf-plus-modularization.patch that outsources the IKE
- move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
  to strongswan-nm subpackage, as it is needed for the
  NetworkManager plugin that uses strongswan-nm, not
- Removed unused requires and macro calls(bsc#1083261)
    improved oracle are not compatible with the earlier
    (wasn't the case since 5.0.0) and packets that have the flag
    also checked against IKEv2 signature schemes. If such
    constraints are used for certificate chain validation in
    transport mode connections coming over the same NAT device for
    Windows 7 IKEv2 clients, which announces its services over the
  * For the vici plugin a Python Egg has been added to allow
    Python applications to control or monitor the IKE daemon using
  * EAP server methods now can fulfill public key constraints,
- Fix build in factory
- Fix systemd unit dir
  from glibc
    IDr payload anymore.
  * Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
  caused an INVALID_SYNTAX error on PowerPC platforms.
- Initial, unfinished package

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=165
2024-11-26 12:56:29 +00:00

279 lines
8.5 KiB
Bash

#!/bin/bash
#
# SUSE/LSB system startup script for strongswan ipsec
#
# Copyright (C) 2007 Marius Tomaschewski, SUSE / Novell Inc.
# based on /etc/init.d/skeleton.compat by Kurt Garloff.
#
# This library is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or (at
# your option) any later version.
#
# This library is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
# USA.
#
# /etc/init.d/ipsec
# and its symbolic link
# /usr/sbin/rcipsec
#
# LSB compatible service control script; see http://www.linuxbase.org/spec/
# Please send feedback to http://www.suse.de/feedback/
#
# Note: This script uses functions rc_XXX defined in /etc/rc.status on
# UnitedLinux/SUSE/Novell based Linux distributions. However, it shoule
# work on other distributions as well, by using the LSB (Linux Standard
# Base) or RH functions or by open coding the needed functions.
#
# chkconfig: 345 99 00
# description: StrongSwan IPsec
#
### BEGIN INIT INFO
# Provides: ipsec
# Required-Start: $syslog $remote_fs $named
# Should-Start: $time
# Required-Stop: $syslog $remote_fs $named
# Should-Stop: $time
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: StrongSwan IPsec
# Description: StrongSwan IPsec provides encrypted and authenticated
# communication via a unsafe network, such as the internet.
# This scripts loads the kernel modules and starts the user-space setup.
### END INIT INFO
# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
IPSEC_CMD="/usr/sbin/ipsec"
test -x $IPSEC_CMD || {
echo "$IPSEC_CMD not installed";
if [ "$1" = "stop" ]; then exit 0; else exit 5; fi;
}
IPSEC_STARTER="@libexecdir@/ipsec/starter"
test -x $IPSEC_STARTER || {
echo "$IPSEC_STARTER not installed";
if [ "$1" = "stop" ]; then exit 0; else exit 5; fi;
}
# The pid file of the ipsec starter
IPSEC_PIDFILE="/var/run/starter.pid"
# Check for existence of needed config files
IPSEC_CONFIG="/etc/ipsec.conf"
test -r $IPSEC_CONFIG || {
echo "$IPSEC_CONFIG not existing";
if [ "$1" = "stop" ]; then exit 0; else exit 6; fi;
}
IPSEC_SECRET="/etc/ipsec.secrets"
test -r $IPSEC_SECRET || {
echo "$IPSEC_SECRET not existing";
if [ "$1" = "stop" ]; then exit 0; else exit 6; fi;
}
# Source LSB init functions
# providing start_daemon, killproc, pidofproc,
# log_success_msg, log_failure_msg and log_warning_msg.
# This is currently not used by UnitedLinux based distributions and
# not needed for init scripts for UnitedLinux only. If it is used,
# the functions from rc.status should not be sourced or used.
#. /lib/lsb/init-functions
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
# Use the SUSE rc_ init script functions;
# emulate them on LSB, RH and other systems
# Default: Assume sysvinit binaries exist
start_daemon() { /sbin/start_daemon ${1+"$@"}; }
killproc() { /sbin/killproc ${1+"$@"}; }
pidofproc() { /sbin/pidofproc ${1+"$@"}; }
checkproc() { /sbin/checkproc ${1+"$@"}; }
if test -e /etc/rc.status; then
# SUSE rc script library
. /etc/rc.status
else
export LC_ALL=POSIX
_cmd=$1
declare -a _SMSG
if test "${_cmd}" = "status"; then
_SMSG=(running dead dead unused unknown reserved)
_RC_UNUSED=3
else
_SMSG=(done failed failed missed failed skipped unused failed failed reserved)
_RC_UNUSED=6
fi
if test -e /lib/lsb/init-functions; then
# LSB
. /lib/lsb/init-functions
echo_rc()
{
if test ${_RC_RV} = 0; then
log_success_msg " [${_SMSG[${_RC_RV}]}] "
else
log_failure_msg " [${_SMSG[${_RC_RV}]}] "
fi
}
# TODO: Add checking for lockfiles
checkproc() { pidofproc ${1+"$@"} >/dev/null 2>&1; }
elif test -e /etc/init.d/functions; then
# RHAT
. /etc/init.d/functions
echo_rc()
{
#echo -n " [${_SMSG[${_RC_RV}]}] "
if test ${_RC_RV} = 0; then
success " [${_SMSG[${_RC_RV}]}] "
else
failure " [${_SMSG[${_RC_RV}]}] "
fi
}
checkproc() { status ${1+"$@"}; }
start_daemon() { daemon ${1+"$@"}; }
else
# emulate it
echo_rc() { echo " [${_SMSG[${_RC_RV}]}] "; }
fi
rc_reset() { _RC_RV=0; }
rc_failed()
{
if test -z "$1"; then
_RC_RV=1;
elif test "$1" != "0"; then
_RC_RV=$1;
fi
return ${_RC_RV}
}
rc_check()
{
rc_failed $?
}
rc_status()
{
rc_failed $?
if test "$1" = "-r"; then _RC_RV=0; shift; fi
if test "$1" = "-s"; then rc_failed 5; echo_rc; rc_failed 3; shift; fi
if test "$1" = "-u"; then rc_failed ${_RC_UNUSED}; echo_rc; rc_failed 3; shift; fi
if test "$1" = "-v"; then echo_rc; shift; fi
if test "$1" = "-r"; then _RC_RV=0; shift; fi
return ${_RC_RV}
}
rc_exit() { exit ${_RC_RV}; }
rc_active()
{
local x
for x in /etc/rc.d/rc[0-9].d/S[0-9][0-9]${1} ; do
test -e $x && return 0 || break
done
return 1
}
fi
# Reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - user had insufficient privileges
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.
case "$1" in
start)
$IPSEC_CMD start 2>&1
rc_status -v1
;;
stop)
$IPSEC_CMD stop 2>&1
rc_status -v1
;;
try-restart|condrestart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
sleep 2
$0 start
# Remember status and be quiet
rc_status
;;
reload|force-reload)
$IPSEC_CMD reload
rc_status -v1
;;
status)
# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
echo -n "Checking for service strongSwan IPsec "
#checkproc $IPSEC_STARTER
$IPSEC_CMD status 2>&1 >/dev/null
# NOTE: rc_status knows that we called this init script with
# "status" option and adapts its messages accordingly.
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload, print out the
## argument to this init script which is required for a reload.
## Note: probe is not (yet) part of LSB (as of 1.9)
test $IPSEC_CONFIG -nt $IPSEC_PIDFILE || \
test $IPSEC_SECRET -nt $IPSEC_PIDFILE && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit