SHA256
1
0
forked from pool/ocserv
ocserv/ocserv-forwarding.sh
Alexandre Vicenzi 14fb2eaa63 Accepting request 1059390 from home:mgerstner:branches:network:vpn
- add ocserv-forwarding.sh: replace the sysctl drop-in file which was wrongly
  installed into /etc by a more tailored mechanism. Enabling IP routing
  globally and permanently, just because the package is installed is quite
  invasive. This new script will be invoked before and after the ocserv
  service to switch on and off forwarding, if necessary (bsc#1174722).

OBS-URL: https://build.opensuse.org/request/show/1059390
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=45
2023-03-07 12:02:19 +00:00

90 lines
2.0 KiB
Bash

#!/bin/bash
set -o errexit
# This script enables IP forwarding only for the time of ocserv running
#
# The script should be run as a pre and post script via the systemd service
# unit.
#
# It only touches a sysctl if it doesn't have the required value and is able
# to restore it back to the original value by keeping track of changed
# settings in a state file.
STATEDIR="/run/ocserv"
STATEFILE="$STATEDIR/changed_sysctls"
# the sysctls that need to be at '1' for ocserv to work properly
CONTROLS=("net.ipv4.ip_forward" "net.ipv6.conf.default.forwarding" "net.ipv6.conf.all.forwarding")
errecho() {
echo $* 1>&2
}
usage() {
errecho "Usage: $0 [--enable|--disable]"
errecho
errecho "--enable: enable IP forwarding kernel settings, if necessary"
errecho "--disable: restore IP forwarding kernel settings that have previously been changed via --enable"
errecho
errecho "This script temporarily enables IP forwarding while ocserv is running"
exit 1
}
# make sure we don't create anything world readable for other users
umask 077
if [ $# -ne 1 ]; then
usage
fi
SYSCTL=`which sysctl`
if [ -z "$SYSCTL" ]; then
errecho "Couldn't find 'sysctl'. You need to be root to run this script."
exit 1
fi
operation="$1"
if [ "$operation" = "-h" -o "$operation" = "--help" ]; then
usage
elif [ "$operation" = "--enable" ]; then
changed=()
for control in ${CONTROLS[@]}; do
val=$($SYSCTL -n "$control")
if [ $? -ne 0 ]; then
errecho "failed to run sysctl"
exit 2
fi
if [ "$val" -eq 0 ]; then
echo -n "enabling $control: "
$SYSCTL "${control}=1"
if [ $? -eq 0 ]; then
changed+=("$control")
fi
fi
done
if (( ${#changed[@]} )); then
mkdir -p "$STATEDIR"
for changed in ${changed[@]}; do
echo "$changed" >>"$STATEFILE"
done
fi
elif [ "$operation" = "--disable" ]; then
if [ ! -f "$STATEFILE" ]; then
# nothing to restore
exit 0
fi
for control in `cat $STATEFILE`; do
echo -n "restoring $control: "
$SYSCTL "${control}=0" || continue
done
rm -f "$STATEFILE"
else
errecho "invalid argument: $operation"
usage
fi