forked from pool/strongswan
Jan Engelhardt
cf0313df27
the hmac files, it provides the configuration drop in to enforce fips mode. - Removes deprecated SysV support - Added prf-plus-modularization.patch that outsources the IKE - move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf to strongswan-nm subpackage, as it is needed for the NetworkManager plugin that uses strongswan-nm, not - Removed unused requires and macro calls(bsc#1083261) improved oracle are not compatible with the earlier (wasn't the case since 5.0.0) and packets that have the flag also checked against IKEv2 signature schemes. If such constraints are used for certificate chain validation in transport mode connections coming over the same NAT device for Windows 7 IKEv2 clients, which announces its services over the * For the vici plugin a Python Egg has been added to allow Python applications to control or monitor the IKE daemon using * EAP server methods now can fulfill public key constraints, - Fix build in factory - Fix systemd unit dir from glibc IDr payload anymore. * Consistent logging of IKE and CHILD SAs at the audit (AUD) level. caused an INVALID_SYNTAX error on PowerPC platforms. - Initial, unfinished package OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=165
279 lines
8.5 KiB
Bash
279 lines
8.5 KiB
Bash
#!/bin/bash
|
|
#
|
|
# SUSE/LSB system startup script for strongswan ipsec
|
|
#
|
|
# Copyright (C) 2007 Marius Tomaschewski, SUSE / Novell Inc.
|
|
# based on /etc/init.d/skeleton.compat by Kurt Garloff.
|
|
#
|
|
# This library is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or (at
|
|
# your option) any later version.
|
|
#
|
|
# This library is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
# Lesser General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Lesser General Public
|
|
# License along with this library; if not, write to the Free Software
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
|
|
# USA.
|
|
#
|
|
# /etc/init.d/ipsec
|
|
# and its symbolic link
|
|
# /usr/sbin/rcipsec
|
|
#
|
|
# LSB compatible service control script; see http://www.linuxbase.org/spec/
|
|
# Please send feedback to http://www.suse.de/feedback/
|
|
#
|
|
# Note: This script uses functions rc_XXX defined in /etc/rc.status on
|
|
# UnitedLinux/SUSE/Novell based Linux distributions. However, it shoule
|
|
# work on other distributions as well, by using the LSB (Linux Standard
|
|
# Base) or RH functions or by open coding the needed functions.
|
|
#
|
|
# chkconfig: 345 99 00
|
|
# description: StrongSwan IPsec
|
|
#
|
|
### BEGIN INIT INFO
|
|
# Provides: ipsec
|
|
# Required-Start: $syslog $remote_fs $named
|
|
# Should-Start: $time
|
|
# Required-Stop: $syslog $remote_fs $named
|
|
# Should-Stop: $time
|
|
# Default-Start: 3 5
|
|
# Default-Stop: 0 1 2 6
|
|
# Short-Description: StrongSwan IPsec
|
|
# Description: StrongSwan IPsec provides encrypted and authenticated
|
|
# communication via a unsafe network, such as the internet.
|
|
# This scripts loads the kernel modules and starts the user-space setup.
|
|
### END INIT INFO
|
|
|
|
|
|
# Check for missing binaries (stale symlinks should not happen)
|
|
# Note: Special treatment of stop for LSB conformance
|
|
IPSEC_CMD="/usr/sbin/ipsec"
|
|
test -x $IPSEC_CMD || {
|
|
echo "$IPSEC_CMD not installed";
|
|
if [ "$1" = "stop" ]; then exit 0; else exit 5; fi;
|
|
}
|
|
IPSEC_STARTER="@libexecdir@/ipsec/starter"
|
|
test -x $IPSEC_STARTER || {
|
|
echo "$IPSEC_STARTER not installed";
|
|
if [ "$1" = "stop" ]; then exit 0; else exit 5; fi;
|
|
}
|
|
|
|
# The pid file of the ipsec starter
|
|
IPSEC_PIDFILE="/var/run/starter.pid"
|
|
|
|
# Check for existence of needed config files
|
|
IPSEC_CONFIG="/etc/ipsec.conf"
|
|
test -r $IPSEC_CONFIG || {
|
|
echo "$IPSEC_CONFIG not existing";
|
|
if [ "$1" = "stop" ]; then exit 0; else exit 6; fi;
|
|
}
|
|
IPSEC_SECRET="/etc/ipsec.secrets"
|
|
test -r $IPSEC_SECRET || {
|
|
echo "$IPSEC_SECRET not existing";
|
|
if [ "$1" = "stop" ]; then exit 0; else exit 6; fi;
|
|
}
|
|
|
|
# Source LSB init functions
|
|
# providing start_daemon, killproc, pidofproc,
|
|
# log_success_msg, log_failure_msg and log_warning_msg.
|
|
# This is currently not used by UnitedLinux based distributions and
|
|
# not needed for init scripts for UnitedLinux only. If it is used,
|
|
# the functions from rc.status should not be sourced or used.
|
|
#. /lib/lsb/init-functions
|
|
|
|
# Shell functions sourced from /etc/rc.status:
|
|
# rc_check check and set local and overall rc status
|
|
# rc_status check and set local and overall rc status
|
|
# rc_status -v be verbose in local rc status and clear it afterwards
|
|
# rc_status -v -r ditto and clear both the local and overall rc status
|
|
# rc_status -s display "skipped" and exit with status 3
|
|
# rc_status -u display "unused" and exit with status 3
|
|
# rc_failed set local and overall rc status to failed
|
|
# rc_failed <num> set local and overall rc status to <num>
|
|
# rc_reset clear both the local and overall rc status
|
|
# rc_exit exit appropriate to overall rc status
|
|
# rc_active checks whether a service is activated by symlinks
|
|
|
|
# Use the SUSE rc_ init script functions;
|
|
# emulate them on LSB, RH and other systems
|
|
|
|
# Default: Assume sysvinit binaries exist
|
|
start_daemon() { /sbin/start_daemon ${1+"$@"}; }
|
|
killproc() { /sbin/killproc ${1+"$@"}; }
|
|
pidofproc() { /sbin/pidofproc ${1+"$@"}; }
|
|
checkproc() { /sbin/checkproc ${1+"$@"}; }
|
|
if test -e /etc/rc.status; then
|
|
# SUSE rc script library
|
|
. /etc/rc.status
|
|
else
|
|
export LC_ALL=POSIX
|
|
_cmd=$1
|
|
declare -a _SMSG
|
|
if test "${_cmd}" = "status"; then
|
|
_SMSG=(running dead dead unused unknown reserved)
|
|
_RC_UNUSED=3
|
|
else
|
|
_SMSG=(done failed failed missed failed skipped unused failed failed reserved)
|
|
_RC_UNUSED=6
|
|
fi
|
|
if test -e /lib/lsb/init-functions; then
|
|
# LSB
|
|
. /lib/lsb/init-functions
|
|
echo_rc()
|
|
{
|
|
if test ${_RC_RV} = 0; then
|
|
log_success_msg " [${_SMSG[${_RC_RV}]}] "
|
|
else
|
|
log_failure_msg " [${_SMSG[${_RC_RV}]}] "
|
|
fi
|
|
}
|
|
# TODO: Add checking for lockfiles
|
|
checkproc() { pidofproc ${1+"$@"} >/dev/null 2>&1; }
|
|
elif test -e /etc/init.d/functions; then
|
|
# RHAT
|
|
. /etc/init.d/functions
|
|
echo_rc()
|
|
{
|
|
#echo -n " [${_SMSG[${_RC_RV}]}] "
|
|
if test ${_RC_RV} = 0; then
|
|
success " [${_SMSG[${_RC_RV}]}] "
|
|
else
|
|
failure " [${_SMSG[${_RC_RV}]}] "
|
|
fi
|
|
}
|
|
checkproc() { status ${1+"$@"}; }
|
|
start_daemon() { daemon ${1+"$@"}; }
|
|
else
|
|
# emulate it
|
|
echo_rc() { echo " [${_SMSG[${_RC_RV}]}] "; }
|
|
fi
|
|
rc_reset() { _RC_RV=0; }
|
|
rc_failed()
|
|
{
|
|
if test -z "$1"; then
|
|
_RC_RV=1;
|
|
elif test "$1" != "0"; then
|
|
_RC_RV=$1;
|
|
fi
|
|
return ${_RC_RV}
|
|
}
|
|
rc_check()
|
|
{
|
|
rc_failed $?
|
|
}
|
|
rc_status()
|
|
{
|
|
rc_failed $?
|
|
if test "$1" = "-r"; then _RC_RV=0; shift; fi
|
|
if test "$1" = "-s"; then rc_failed 5; echo_rc; rc_failed 3; shift; fi
|
|
if test "$1" = "-u"; then rc_failed ${_RC_UNUSED}; echo_rc; rc_failed 3; shift; fi
|
|
if test "$1" = "-v"; then echo_rc; shift; fi
|
|
if test "$1" = "-r"; then _RC_RV=0; shift; fi
|
|
return ${_RC_RV}
|
|
}
|
|
rc_exit() { exit ${_RC_RV}; }
|
|
rc_active()
|
|
{
|
|
local x
|
|
for x in /etc/rc.d/rc[0-9].d/S[0-9][0-9]${1} ; do
|
|
test -e $x && return 0 || break
|
|
done
|
|
return 1
|
|
}
|
|
fi
|
|
|
|
# Reset status of this service
|
|
rc_reset
|
|
|
|
# Return values acc. to LSB for all commands but status:
|
|
# 0 - success
|
|
# 1 - generic or unspecified error
|
|
# 2 - invalid or excess argument(s)
|
|
# 3 - unimplemented feature (e.g. "reload")
|
|
# 4 - user had insufficient privileges
|
|
# 5 - program is not installed
|
|
# 6 - program is not configured
|
|
# 7 - program is not running
|
|
# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
|
|
#
|
|
# Note that starting an already running service, stopping
|
|
# or restarting a not-running service as well as the restart
|
|
# with force-reload (in case signaling is not supported) are
|
|
# considered a success.
|
|
|
|
case "$1" in
|
|
start)
|
|
$IPSEC_CMD start 2>&1
|
|
rc_status -v1
|
|
;;
|
|
stop)
|
|
$IPSEC_CMD stop 2>&1
|
|
rc_status -v1
|
|
;;
|
|
try-restart|condrestart)
|
|
## Do a restart only if the service was active before.
|
|
## Note: try-restart is now part of LSB (as of 1.9).
|
|
## RH has a similar command named condrestart.
|
|
if test "$1" = "condrestart"; then
|
|
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
|
|
fi
|
|
$0 status
|
|
if test $? = 0; then
|
|
$0 restart
|
|
else
|
|
rc_reset # Not running is not a failure.
|
|
fi
|
|
# Remember status and be quiet
|
|
rc_status
|
|
;;
|
|
restart)
|
|
## Stop the service and regardless of whether it was
|
|
## running or not, start it again.
|
|
$0 stop
|
|
sleep 2
|
|
$0 start
|
|
|
|
# Remember status and be quiet
|
|
rc_status
|
|
;;
|
|
reload|force-reload)
|
|
$IPSEC_CMD reload
|
|
rc_status -v1
|
|
;;
|
|
status)
|
|
# Return value is slightly different for the status command:
|
|
# 0 - service up and running
|
|
# 1 - service dead, but /var/run/ pid file exists
|
|
# 2 - service dead, but /var/lock/ lock file exists
|
|
# 3 - service not running (unused)
|
|
# 4 - service status unknown :-(
|
|
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
|
|
|
|
echo -n "Checking for service strongSwan IPsec "
|
|
#checkproc $IPSEC_STARTER
|
|
$IPSEC_CMD status 2>&1 >/dev/null
|
|
|
|
# NOTE: rc_status knows that we called this init script with
|
|
# "status" option and adapts its messages accordingly.
|
|
rc_status -v
|
|
;;
|
|
probe)
|
|
## Optional: Probe for the necessity of a reload, print out the
|
|
## argument to this init script which is required for a reload.
|
|
## Note: probe is not (yet) part of LSB (as of 1.9)
|
|
|
|
test $IPSEC_CONFIG -nt $IPSEC_PIDFILE || \
|
|
test $IPSEC_SECRET -nt $IPSEC_PIDFILE && echo reload
|
|
;;
|
|
*)
|
|
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
|
|
exit 1
|
|
;;
|
|
esac
|
|
rc_exit
|