rpms/ipsec-tools/devel ipsec-tools-0.7-splitcidr.patch, NONE, 1.1 p1_up_down, 1.1, 1.2
Steve Conklin (sconklin)
fedora-extras-commits at redhat.com
Thu Feb 28 16:06:12 UTC 2008
Author: sconklin
Update of /cvs/pkgs/rpms/ipsec-tools/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23222
Modified Files:
p1_up_down
Added Files:
ipsec-tools-0.7-splitcidr.patch
Log Message:
bz#273261 using ipsec-tools for remote-access client connection to Cisco ASA
ipsec-tools-0.7-splitcidr.patch:
--- NEW FILE ipsec-tools-0.7-splitcidr.patch ---
diff -NarU5 ipsec-tools-0.7-cvs071018.orig/src/racoon/isakmp_cfg.c ipsec-tools-0.7-cvs071018/src/racoon/isakmp_cfg.c
--- ipsec-tools-0.7-cvs071018.orig/src/racoon/isakmp_cfg.c 2007-06-07 16:04:26.000000000 -0400
+++ ipsec-tools-0.7-cvs071018/src/racoon/isakmp_cfg.c 2007-10-18 16:33:07.000000000 -0400
@@ -1875,10 +1875,11 @@
int *envc;
{
char addrstr[IP_MAX];
char addrlist[IP_MAX * MAXNS + MAXNS];
char *splitlist = addrlist;
+ char *splitlist_cidr;
char defdom[MAXPATHLEN + 1];
int cidr, tmp;
char cidrstr[4];
int i, p;
int test;
@@ -2015,37 +2016,61 @@
"Cannot set DEFAULT_DOMAIN\n");
return -1;
}
/* Split networks */
- if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE)
- splitlist = splitnet_list_2str(iph1->mode_cfg->split_include);
- else {
+ if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE) {
+ splitlist =
+ splitnet_list_2str(iph1->mode_cfg->split_include, 0);
+ splitlist_cidr =
+ splitnet_list_2str(iph1->mode_cfg->split_include, 1);
+ } else {
splitlist = addrlist;
+ splitlist_cidr = addrlist;
addrlist[0] = '\0';
}
if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) {
plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n");
return -1;
}
+ if (script_env_append(envp, envc,
+ "SPLIT_INCLUDE_CIDR", splitlist_cidr) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot set SPLIT_INCLUDE_CIDR\n");
+ return -1;
+ }
if (splitlist != addrlist)
racoon_free(splitlist);
+ if (splitlist_cidr != addrlist)
+ racoon_free(splitlist_cidr);
- if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL)
- splitlist = splitnet_list_2str(iph1->mode_cfg->split_local);
- else {
+ if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL) {
+ splitlist =
+ splitnet_list_2str(iph1->mode_cfg->split_local, 0);
+ splitlist_cidr =
+ splitnet_list_2str(iph1->mode_cfg->split_local, 1);
+ } else {
splitlist = addrlist;
+ splitlist_cidr = addrlist;
addrlist[0] = '\0';
}
if (script_env_append(envp, envc, "SPLIT_LOCAL", splitlist) != 0) {
plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_LOCAL\n");
return -1;
}
+ if (script_env_append(envp, envc,
+ "SPLIT_LOCAL_CIDR", splitlist_cidr) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot set SPLIT_LOCAL_CIDR\n");
+ return -1;
+ }
if (splitlist != addrlist)
racoon_free(splitlist);
+ if (splitlist_cidr != addrlist)
+ racoon_free(splitlist_cidr);
return 0;
}
int
diff -NarU5 ipsec-tools-0.7-cvs071018.orig/src/racoon/isakmp_unity.c ipsec-tools-0.7-cvs071018/src/racoon/isakmp_unity.c
--- ipsec-tools-0.7-cvs071018.orig/src/racoon/isakmp_unity.c 2007-09-19 15:20:25.000000000 -0400
+++ ipsec-tools-0.7-cvs071018/src/racoon/isakmp_unity.c 2007-10-18 18:11:19.000000000 -0400
@@ -361,12 +361,13 @@
netentry = netentry->next;
racoon_free(delentry);
}
}
-char * splitnet_list_2str(list)
+char * splitnet_list_2str(list, do_cidr)
struct unity_netentry * list;
+ int do_cidr;
{
struct unity_netentry * netentry;
char tmp1[40];
char tmp2[40];
char * str;
@@ -396,12 +397,21 @@
netentry = list;
while (netentry != NULL) {
inet_ntop(AF_INET, &netentry->network.addr4, tmp1, 40);
inet_ntop(AF_INET, &netentry->network.mask4, tmp2, 40);
-
- len += sprintf(str+len, "%s/%s ", tmp1, tmp2);
+ if (do_cidr) {
+ uint32_t tmp3;
+ int cidrmask;
+
+ tmp3 = ntohl(netentry->network.mask4.s_addr);
+ for (cidrmask = 0; tmp3 != 0; cidrmask++)
+ tmp3 <<= 1;
+ len += sprintf(str+len, "%s/%d ", tmp1, cidrmask);
+ } else {
+ len += sprintf(str+len, "%s/%s ", tmp1, tmp2);
+ }
netentry = netentry->next;
}
str[len-1]=0;
diff -NarU5 ipsec-tools-0.7-cvs071018.orig/src/racoon/isakmp_unity.h ipsec-tools-0.7-cvs071018/src/racoon/isakmp_unity.h
--- ipsec-tools-0.7-cvs071018.orig/src/racoon/isakmp_unity.h 2006-09-09 12:22:09.000000000 -0400
+++ ipsec-tools-0.7-cvs071018/src/racoon/isakmp_unity.h 2007-10-18 14:31:34.000000000 -0400
@@ -64,9 +64,9 @@
struct unity_netentry *next;
};
int splitnet_list_add(struct unity_netentry **, struct unity_network *, int *);
void splitnet_list_free(struct unity_netentry *, int *);
-char * splitnet_list_2str(struct unity_netentry *);
+char * splitnet_list_2str(struct unity_netentry *, int);
vchar_t *isakmp_unity_req(struct ph1handle *, struct isakmp_data *);
void isakmp_unity_reply(struct ph1handle *, struct isakmp_data *);
Index: p1_up_down
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/devel/p1_up_down,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- p1_up_down 20 Sep 2007 16:42:06 -0000 1.1
+++ p1_up_down 28 Feb 2008 16:05:36 -0000 1.2
@@ -14,6 +14,7 @@
PATH=/bin:/sbin:/usr/bin:/usr/sbin
+# set up NAT-T
case "${NAT_T}" in
yes|true|on|enable*|1)
LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
@@ -25,23 +26,21 @@
;;
esac
+# determine interface and next-hop for our default route
DFLT_RT=$(ip route list | awk '($1 == "default"){print $3 ";" $5}')
DFLT_IF=${DFLT_RT#*;}
DFLT_GW=${DFLT_RT%;*}
-# convert something like '192.168.123.0/255.255.255.0' into '192.168.123.0/24'
-# FIXME: convince racoon folks to return SPLIT_INCLUDE in the latter form ?
-to_cidr() {
- local IP_ADDR=${1%/*}
- local NETMASK=${1#*/}
- local PREFIX_STR=$(ipcalc -p ${IP_ADDR} ${NETMASK})
- local PREFIX=${PREFIX_STR#*=}
- echo ${IP_ADDR}/${PREFIX}
-}
-
-
+# bring up phase1
phase1_up() {
+ # check if VPN address already set up on default interface (dupe script call)
+ ip addr list ${DFLT_IF} | grep -q "${INTERNAL_ADDR4}/32" && {
+ echo "p1_up_down: phase1_up has already run !!!"
+ exit 4
+ }
+
+ # save current resolv.conf and create new one based on info from VPN server
[ -f /etc/resolv.conf.prevpn ] || cp /etc/resolv.conf /etc/resolv.conf.prevpn
{
echo "# Generated by racoon on $(date)"
@@ -51,22 +50,27 @@
done
} > /etc/resolv.conf
+ # add VPN address to default interface
ip addr add dev ${DFLT_IF} ${INTERNAL_ADDR4}/32
+ # set up host route to VPN server
ip route add ${REMOTE_ADDR} via ${DFLT_GW} dev ${DFLT_IF}
- if [ -n "${SPLIT_INCLUDE}" ]; then
- for N in ${SPLIT_INCLUDE}; do
- ip route add $(to_cidr ${N}) via ${DFLT_GW} dev ${DFLT_IF} \
- src ${INTERNAL_ADDR4}
+ if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then
+ # split tunnel: keep existing default, insert specific tunnel routes
+ for N in ${SPLIT_INCLUDE_CIDR}; do
+ ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4}
done
else
- for N in ${SPLIT_LOCAL}; do
- ip route add $(to_cidr ${N}) via ${DFLT_GW} dev ${DFLT_IF}
+ # full tunnel: set up any applicable exceptions
+ for N in ${SPLIT_LOCAL_CIDR}; do
+ ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF}
done
+ # ... then replace default route with vpn tunnel
ip route del default
ip route add default via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4}
fi
+ # update SA database
setkey -c << EOT
spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
esp/tunnel/${LOCAL}-${REMOTE}/require;
@@ -75,25 +79,32 @@
EOT
}
-
+# bring down phase1
phase1_down() {
+ # restore previous resolv.conf
[ -f /etc/resolv.conf.prevpn ] && mv /etc/resolv.conf.prevpn /etc/resolv.conf
- if [ -n "${SPLIT_INCLUDE}" ]; then
- for N in ${SPLIT_INCLUDE}; do
- ip route del $(to_cidr ${N})
+ if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then
+ # split tunnel: remove specific tunnel routes
+ for N in ${SPLIT_INCLUDE_CIDR}; do
+ ip route del ${N}
done
else
- for N in ${SPLIT_LOCAL}; do
- ip route del $(to_cidr ${N})
+ # full tunnel: remove any applicable exceptions
+ for N in ${SPLIT_LOCAL_CIDR}; do
+ ip route del ${N}
done
+ # ... then restore original default route
ip route del default
ip route add default via ${DFLT_GW} dev ${DFLT_IF}
fi
+ # remove host route to VPN server
ip route del ${REMOTE_ADDR}
+ # remove VPN address from default interface
ip addr del dev ${DFLT_IF} ${INTERNAL_ADDR4}/32
+ # clean up SA database
setkey -c << EOT
spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
esp/tunnel/${LOCAL}-${REMOTE}/require;
@@ -101,13 +112,13 @@
esp/tunnel/${REMOTE}-${LOCAL}/require;
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;
-# linux won't honor a 'deleteall', so we use flush (bad, but necessary for now)
-flush;
+# deleteall still broken on Linux, using 'flush esp' as workaround:
+flush esp;
EOT
}
-
+# print out parameters we received
echo "p1_up_down: $1 starting..."
echo "p1_up_down: LOCAL_ADDR = ${LOCAL_ADDR}"
echo "p1_up_down: LOCAL_PORT = ${LOCAL_PORT}"
@@ -118,19 +129,22 @@
echo "p1_up_down: INTERNAL_ADDR4 = ${INTERNAL_ADDR4}"
echo "p1_up_down: INTERNAL_DNS4 = ${INTERNAL_DNS4}"
echo "p1_up_down: DEFAULT_DOMAIN = ${DEFAULT_DOMAIN}"
-echo "p1_up_down: SPLIT_INCLUDE = ${SPLIT_INCLUDE}"
-echo "p1_up_down: SPLIT_LOCAL = ${SPLIT_LOCAL}"
+echo "p1_up_down: SPLIT_INCLUDE_CIDR = ${SPLIT_INCLUDE_CIDR}"
+echo "p1_up_down: SPLIT_LOCAL_CIDR = ${SPLIT_LOCAL_CIDR}"
+# check for valid VPN address
echo ${INTERNAL_ADDR4} | grep -q '[0-9]' || {
echo "p1_up_down: error: invalid INTERNAL_ADDR4."
exit 1
}
+# check for valid default nexthop
echo ${DFLT_GW} | grep -q '[0-9]' || {
echo "p1_up_down: error: invalid DFLT_GW."
exit 2
}
+# main "program"
case "$1" in
phase1_up)
phase1_up
More information about the fedora-extras-commits
mailing list