forked from pool/ocserv
Alexandre Vicenzi
14fb2eaa63
- add ocserv-forwarding.sh: replace the sysctl drop-in file which was wrongly installed into /etc by a more tailored mechanism. Enabling IP routing globally and permanently, just because the package is installed is quite invasive. This new script will be invoked before and after the ocserv service to switch on and off forwarding, if necessary (bsc#1174722). OBS-URL: https://build.opensuse.org/request/show/1059390 OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=45
90 lines
2.0 KiB
Bash
90 lines
2.0 KiB
Bash
#!/bin/bash
|
|
|
|
set -o errexit
|
|
|
|
# This script enables IP forwarding only for the time of ocserv running
|
|
#
|
|
# The script should be run as a pre and post script via the systemd service
|
|
# unit.
|
|
#
|
|
# It only touches a sysctl if it doesn't have the required value and is able
|
|
# to restore it back to the original value by keeping track of changed
|
|
# settings in a state file.
|
|
|
|
STATEDIR="/run/ocserv"
|
|
STATEFILE="$STATEDIR/changed_sysctls"
|
|
# the sysctls that need to be at '1' for ocserv to work properly
|
|
CONTROLS=("net.ipv4.ip_forward" "net.ipv6.conf.default.forwarding" "net.ipv6.conf.all.forwarding")
|
|
|
|
errecho() {
|
|
echo $* 1>&2
|
|
}
|
|
|
|
usage() {
|
|
errecho "Usage: $0 [--enable|--disable]"
|
|
errecho
|
|
errecho "--enable: enable IP forwarding kernel settings, if necessary"
|
|
errecho "--disable: restore IP forwarding kernel settings that have previously been changed via --enable"
|
|
errecho
|
|
errecho "This script temporarily enables IP forwarding while ocserv is running"
|
|
exit 1
|
|
}
|
|
|
|
# make sure we don't create anything world readable for other users
|
|
umask 077
|
|
|
|
if [ $# -ne 1 ]; then
|
|
usage
|
|
fi
|
|
|
|
SYSCTL=`which sysctl`
|
|
if [ -z "$SYSCTL" ]; then
|
|
errecho "Couldn't find 'sysctl'. You need to be root to run this script."
|
|
exit 1
|
|
fi
|
|
|
|
operation="$1"
|
|
|
|
if [ "$operation" = "-h" -o "$operation" = "--help" ]; then
|
|
usage
|
|
elif [ "$operation" = "--enable" ]; then
|
|
changed=()
|
|
for control in ${CONTROLS[@]}; do
|
|
val=$($SYSCTL -n "$control")
|
|
if [ $? -ne 0 ]; then
|
|
errecho "failed to run sysctl"
|
|
exit 2
|
|
fi
|
|
|
|
if [ "$val" -eq 0 ]; then
|
|
echo -n "enabling $control: "
|
|
$SYSCTL "${control}=1"
|
|
if [ $? -eq 0 ]; then
|
|
changed+=("$control")
|
|
fi
|
|
fi
|
|
done
|
|
|
|
if (( ${#changed[@]} )); then
|
|
mkdir -p "$STATEDIR"
|
|
for changed in ${changed[@]}; do
|
|
echo "$changed" >>"$STATEFILE"
|
|
done
|
|
fi
|
|
elif [ "$operation" = "--disable" ]; then
|
|
if [ ! -f "$STATEFILE" ]; then
|
|
# nothing to restore
|
|
exit 0
|
|
fi
|
|
|
|
for control in `cat $STATEFILE`; do
|
|
echo -n "restoring $control: "
|
|
$SYSCTL "${control}=0" || continue
|
|
done
|
|
|
|
rm -f "$STATEFILE"
|
|
else
|
|
errecho "invalid argument: $operation"
|
|
usage
|
|
fi
|