external/subpack/net/strongswan/files/ipsec.init - T108 - Gitiles

 #!/bin/sh /etc/rc.common

 START=90
 STOP=10

 USE_PROCD=1
 PROG=/usr/lib/ipsec/starter

 . $IPKG_INSTROOT/lib/functions.sh
 . $IPKG_INSTROOT/lib/functions/network.sh

 IPSEC_SECRETS_FILE=/etc/ipsec.secrets
 IPSEC_CONN_FILE=/etc/ipsec.conf
 STRONGSWAN_CONF_FILE=/etc/strongswan.conf

 IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets
 IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
 STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf

 WAIT_FOR_INTF=0

 file_reset() {
 	: > "$1"
 }

 xappend() {
 	local file="$1"
 	shift

 	echo "$@" >> "$file"
 }

 ipsec_reset() {
 	file_reset "$IPSEC_VAR_CONN_FILE"
 }

 ipsec_xappend() {
 	xappend "$IPSEC_VAR_CONN_FILE" "$@"
 }

 swan_reset() {
 	file_reset "$STRONGSWAN_VAR_CONF_FILE"
 }

 swan_xappend() {
 	xappend "$STRONGSWAN_VAR_CONF_FILE" "$@"
 }

 secret_reset() {
 	file_reset "$IPSEC_VAR_SECRETS_FILE"
 }

 secret_xappend() {
 	xappend "$IPSEC_VAR_SECRETS_FILE" "$@"
 }

 warning() {
 	echo "WARNING: $@" >&2
 }

 add_crypto_proposal() {
 	local encryption_algorithm
 	local hash_algorithm
 	local dh_group

 	config_get encryption_algorithm  "$1" encryption_algorithm
 	config_get hash_algorithm        "$1" hash_algorithm
 	config_get dh_group              "$1" dh_group

 	[ -n "${encryption_algorithm}" ] && \
 		crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
 }

 set_crypto_proposal() {
 	local conf="$1"
 	local proposal

 	crypto=""

 	config_get crypto_proposal "$conf" crypto_proposal ""
 	for proposal in $crypto_proposal; do
 		add_crypto_proposal "$proposal"
 	done

 	[ -n "${crypto}" ] && {
 		local force_crypto_proposal

 		config_get_bool force_crypto_proposal "$conf" force_crypto_proposal

 		[ "${force_crypto_proposal}" = "1" ] && crypto="${crypto}!"
 	}

 	crypto_proposal="${crypto}"
 }

 config_conn() {
 	# Generic ipsec conn section shared by tunnel and transport
 	local mode
 	local local_subnet
 	local local_nat
 	local local_sourceip
 	local local_leftip
 	local local_updown
 	local local_firewall
 	local remote_subnet
 	local remote_sourceip
 	local remote_updown
 	local remote_firewall
 	local ikelifetime
 	local lifetime
 	local margintime
 	local keyingtries
 	local dpdaction
 	local dpddelay
 	local inactivity
 	local keyexchange
 	local reqid
 	local packet_marker

 	config_get mode                     "$1"           mode "route"
 	config_get local_subnet             "$1"           local_subnet ""
 	config_get local_nat                "$1"           local_nat ""
 	config_get local_sourceip           "$1"           local_sourceip ""
 	config_get local_leftip             "$1"           local_leftip "%any"
 	config_get local_updown             "$1"           local_updown ""
 	config_get local_firewall           "$1"           local_firewall ""
 	config_get remote_subnet            "$1"           remote_subnet ""
 	config_get remote_sourceip          "$1"           remote_sourceip ""
 	config_get remote_updown            "$1"           remote_updown ""
 	config_get remote_firewall          "$1"           remote_firewall ""
 	config_get ikelifetime              "$1"           ikelifetime "3h"
 	config_get lifetime                 "$1"           lifetime "1h"
 	config_get margintime               "$1"           margintime "9m"
 	config_get keyingtries              "$1"           keyingtries "3"
 	config_get dpdaction                "$1"           dpdaction "none"
 	config_get dpddelay                 "$1"           dpddelay "30s"
 	config_get inactivity               "$1"           inactivity
 	config_get keyexchange              "$1"           keyexchange "ikev2"
 	config_get reqid                    "$1"           reqid
 	config_get packet_marker            "$1"           packet_marker

 	[ -n "$local_nat" ] && local_subnet=$local_nat

 	ipsec_xappend "conn $config_name-$1"
 	ipsec_xappend "  left=$local_leftip"
 	ipsec_xappend "  right=$remote_gateway"

 	[ -n "$local_sourceip" ] && ipsec_xappend "  leftsourceip=$local_sourceip"
 	[ -n "$local_subnet" ] && ipsec_xappend "  leftsubnet=$local_subnet"

 	[ -n "$local_firewall" ] && ipsec_xappend "  leftfirewall=$local_firewall"
 	[ -n "$remote_firewall" ] && ipsec_xappend "  rightfirewall=$remote_firewall"

 	ipsec_xappend "  ikelifetime=$ikelifetime"
 	ipsec_xappend "  lifetime=$lifetime"
 	ipsec_xappend "  margintime=$margintime"
 	ipsec_xappend "  keyingtries=$keyingtries"
 	ipsec_xappend "  dpdaction=$dpdaction"
 	ipsec_xappend "  dpddelay=$dpddelay"

 	[ -n "$inactivity" ] && ipsec_xappend "  inactivity=$inactivity"
 	[ -n "$reqid" ] && ipsec_xappend "  reqid=$reqid"

 	if [ "$auth_method" = "psk" ]; then
 		ipsec_xappend "  leftauth=psk"
 		ipsec_xappend "  rightauth=psk"

 		[ "$remote_sourceip" != "" ] && ipsec_xappend "  rightsourceip=$remote_sourceip"
 		[ "$remote_subnet" != "" ] && ipsec_xappend "  rightsubnet=$remote_subnet"

 		ipsec_xappend "  auto=$mode"
 	else
 		warning "AuthenticationMethod $auth_method not supported"
 	fi

 	[ -n "$local_identifier" ] && ipsec_xappend "  leftid=$local_identifier"
 	[ -n "$remote_identifier" ] && ipsec_xappend "  rightid=$remote_identifier"
 	[ -n "$local_updown" ] && ipsec_xappend "  leftupdown=$local_updown"
 	[ -n "$remote_updown" ] && ipsec_xappend "  rightupdown=$remote_updown"
 	[ -n "$packet_marker" ] && ipsec_xappend "  mark=$packet_marker"
 	ipsec_xappend "  keyexchange=$keyexchange"

 	set_crypto_proposal "$1"
 	[ -n "${crypto_proposal}" ] && ipsec_xappend "  esp=$crypto_proposal"
 	[ -n "${ike_proposal}" ] && ipsec_xappend "  ike=$ike_proposal"
 }

 config_tunnel() {
 	config_conn "$1"

 	# Specific for the tunnel part
 	ipsec_xappend "  type=tunnel"
 }

 config_transport() {
 	config_conn "$1"

 	# Specific for the transport part
 	ipsec_xappend "  type=transport"
 }

 config_remote() {
 	local enabled
 	local gateway
 	local pre_shared_key
 	local auth_method

 	config_name=$1

 	config_get_bool enabled "$1" enabled 0
 	[ $enabled -eq 0 ] && return

 	config_get gateway           "$1" gateway
 	config_get pre_shared_key    "$1" pre_shared_key
 	config_get auth_method       "$1" authentication_method
 	config_get local_identifier  "$1" local_identifier ""
 	config_get remote_identifier "$1" remote_identifier ""

 	[ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"

 	[ -z "$local_identifier" ] && {
 		local ipdest

 		[ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
 		local_gateway=$(ip -o route get "$ipdest" | awk '/ src / { print gensub(/^.* src ([^ ]*) .*$/, "\\1", "g"); }')
 	}

 	[ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway "
 	[ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway "

 	secret_xappend ": PSK \"$pre_shared_key\""

 	set_crypto_proposal "$1"
 	ike_proposal="$crypto_proposal"

 	config_list_foreach "$1" tunnel config_tunnel

 	config_list_foreach "$1" transport config_transport

 	ipsec_xappend ""
 }

 do_preamble() {
 	ipsec_xappend "# generated by /etc/init.d/ipsec"
 	ipsec_xappend "version 2"
 	ipsec_xappend ""

 	secret_xappend "# generated by /etc/init.d/ipsec"
 }

 config_ipsec() {
 	local debug
 	local rtinstall_enabled
 	local routing_tables_ignored
 	local routing_table
 	local routing_table_id
 	local interface
 	local device_list

 	ipsec_reset
 	secret_reset
 	swan_reset

 	do_preamble

 	config_get debug "$1" debug 0
 	config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
 	[ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no

 	# prepare extra charon config option ignore_routing_tables
 	for routing_table in $(config_get "$1" "ignore_routing_tables"); do
 		if [ "$routing_table" -ge 0 ] 2>/dev/null; then
 			routing_table_id=$routing_table
 		else
 			routing_table_id=$(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc/iproute2/rt_tables)
 		fi

 		[ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
 	done

 	local interface_list=$(config_get "$1" "interface")
 	if [ -z "$interface_list" ]; then
 		WAIT_FOR_INTF=0
 	else
 		for interface in $interface_list; do
 			network_get_device device $interface
 			[ -n "$device" ] && append device_list "$device" ","
 		done
 		[ -n "$device_list" ] && WAIT_FOR_INTF=0 || WAIT_FOR_INTF=1
 	fi

 	swan_xappend "# generated by /etc/init.d/ipsec"
 	swan_xappend "charon {"
 	swan_xappend "  load_modular = yes"
 	swan_xappend "  install_routes = $install_routes"
 	[ -n "$routing_tables_ignored" ] && swan_xappend "  ignore_routing_tables = $routing_tables_ignored"
 	[ -n "$device_list" ] && swan_xappend "  interfaces_use = $device_list"
 	swan_xappend "    plugins {"
 	swan_xappend "      include /etc/strongswan.d/charon/*.conf"
 	swan_xappend "    }"
 	swan_xappend "  syslog {"
 	swan_xappend "    identifier = ipsec"
 	swan_xappend "    daemon {"
 	swan_xappend "      default = $debug"
 	swan_xappend "    }"
 	swan_xappend "  }"
 	swan_xappend "}"
 }

 prepare_env() {
 	mkdir -p /var/ipsec
 	config_load ipsec
 	config_foreach config_ipsec ipsec
 	config_foreach config_remote remote
 }

 service_running() {
 	ipsec status > /dev/null 2>&1
 }

 reload_service() {
 	running && {
 		prepare_env
 		[ $WAIT_FOR_INTF -eq 0 ] && {
 			ipsec rereadall
 			ipsec reload
 			return
 		}
 	}

 	start
 }

 stop_service() {
 	ipsec_reset
 	swan_reset
 	secret_reset
 }

 check_ipsec_interface() {
 	local intf

 	for intf in $(config_get "$1" interface); do
 		procd_add_interface_trigger "interface.*" "$intf" /etc/init.d/ipsec reload
 	done
 }

 service_triggers() {
 	procd_add_reload_trigger "ipsec"
 	config load "ipsec"
 	config_foreach check_ipsec_interface ipsec
 }

 start_service() {
 	prepare_env

 	[ $WAIT_FOR_INTF -eq 1 ] && return

 	procd_open_instance

 	procd_set_param command $PROG --daemon charon --nofork

 	procd_set_param file $IPSEC_CONN_FILE
 	procd_append_param file $IPSEC_SECRETS_FILE
 	procd_append_param file $STRONGSWAN_CONF_FILE
 	procd_append_param file /etc/strongswan.d/*.conf
 	procd_append_param file /etc/strongswan.d/charon/*.conf

 	procd_set_param respawn

 	procd_close_instance
 }
	#!/bin/sh /etc/rc.common

	START=90
	STOP=10

	USE_PROCD=1
	PROG=/usr/lib/ipsec/starter

	. $IPKG_INSTROOT/lib/functions.sh
	. $IPKG_INSTROOT/lib/functions/network.sh

	IPSEC_SECRETS_FILE=/etc/ipsec.secrets
	IPSEC_CONN_FILE=/etc/ipsec.conf
	STRONGSWAN_CONF_FILE=/etc/strongswan.conf

	IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets
	IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
	STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf

	WAIT_FOR_INTF=0

	file_reset() {
	: > "$1"
	}

	xappend() {
	local file="$1"
	shift

	echo "$@" >> "$file"
	}

	ipsec_reset() {
	file_reset "$IPSEC_VAR_CONN_FILE"
	}

	ipsec_xappend() {
	xappend "$IPSEC_VAR_CONN_FILE" "$@"
	}

	swan_reset() {
	file_reset "$STRONGSWAN_VAR_CONF_FILE"
	}

	swan_xappend() {
	xappend "$STRONGSWAN_VAR_CONF_FILE" "$@"
	}

	secret_reset() {
	file_reset "$IPSEC_VAR_SECRETS_FILE"
	}

	secret_xappend() {
	xappend "$IPSEC_VAR_SECRETS_FILE" "$@"
	}

	warning() {
	echo "WARNING: $@" >&2
	}

	add_crypto_proposal() {
	local encryption_algorithm
	local hash_algorithm
	local dh_group

	config_get encryption_algorithm "$1" encryption_algorithm
	config_get hash_algorithm "$1" hash_algorithm
	config_get dh_group "$1" dh_group

	[ -n "${encryption_algorithm}" ] && \
	crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
	}

	set_crypto_proposal() {
	local conf="$1"
	local proposal

	crypto=""

	config_get crypto_proposal "$conf" crypto_proposal ""
	for proposal in $crypto_proposal; do
	add_crypto_proposal "$proposal"
	done

	[ -n "${crypto}" ] && {
	local force_crypto_proposal

	config_get_bool force_crypto_proposal "$conf" force_crypto_proposal

	[ "${force_crypto_proposal}" = "1" ] && crypto="${crypto}!"
	}

	crypto_proposal="${crypto}"
	}

	config_conn() {
	# Generic ipsec conn section shared by tunnel and transport
	local mode
	local local_subnet
	local local_nat
	local local_sourceip
	local local_leftip
	local local_updown
	local local_firewall
	local remote_subnet
	local remote_sourceip
	local remote_updown
	local remote_firewall
	local ikelifetime
	local lifetime
	local margintime
	local keyingtries
	local dpdaction
	local dpddelay
	local inactivity
	local keyexchange
	local reqid
	local packet_marker

	config_get mode "$1" mode "route"
	config_get local_subnet "$1" local_subnet ""
	config_get local_nat "$1" local_nat ""
	config_get local_sourceip "$1" local_sourceip ""
	config_get local_leftip "$1" local_leftip "%any"
	config_get local_updown "$1" local_updown ""
	config_get local_firewall "$1" local_firewall ""
	config_get remote_subnet "$1" remote_subnet ""
	config_get remote_sourceip "$1" remote_sourceip ""
	config_get remote_updown "$1" remote_updown ""
	config_get remote_firewall "$1" remote_firewall ""
	config_get ikelifetime "$1" ikelifetime "3h"
	config_get lifetime "$1" lifetime "1h"
	config_get margintime "$1" margintime "9m"
	config_get keyingtries "$1" keyingtries "3"
	config_get dpdaction "$1" dpdaction "none"
	config_get dpddelay "$1" dpddelay "30s"
	config_get inactivity "$1" inactivity
	config_get keyexchange "$1" keyexchange "ikev2"
	config_get reqid "$1" reqid
	config_get packet_marker "$1" packet_marker

	[ -n "$local_nat" ] && local_subnet=$local_nat

	ipsec_xappend "conn $config_name-$1"
	ipsec_xappend " left=$local_leftip"
	ipsec_xappend " right=$remote_gateway"

	[ -n "$local_sourceip" ] && ipsec_xappend " leftsourceip=$local_sourceip"
	[ -n "$local_subnet" ] && ipsec_xappend " leftsubnet=$local_subnet"

	[ -n "$local_firewall" ] && ipsec_xappend " leftfirewall=$local_firewall"
	[ -n "$remote_firewall" ] && ipsec_xappend " rightfirewall=$remote_firewall"

	ipsec_xappend " ikelifetime=$ikelifetime"
	ipsec_xappend " lifetime=$lifetime"
	ipsec_xappend " margintime=$margintime"
	ipsec_xappend " keyingtries=$keyingtries"
	ipsec_xappend " dpdaction=$dpdaction"
	ipsec_xappend " dpddelay=$dpddelay"

	[ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity"
	[ -n "$reqid" ] && ipsec_xappend " reqid=$reqid"

	if [ "$auth_method" = "psk" ]; then
	ipsec_xappend " leftauth=psk"
	ipsec_xappend " rightauth=psk"

	[ "$remote_sourceip" != "" ] && ipsec_xappend " rightsourceip=$remote_sourceip"
	[ "$remote_subnet" != "" ] && ipsec_xappend " rightsubnet=$remote_subnet"

	ipsec_xappend " auto=$mode"
	else
	warning "AuthenticationMethod $auth_method not supported"
	fi

	[ -n "$local_identifier" ] && ipsec_xappend " leftid=$local_identifier"
	[ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier"
	[ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown"
	[ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown"
	[ -n "$packet_marker" ] && ipsec_xappend " mark=$packet_marker"
	ipsec_xappend " keyexchange=$keyexchange"

	set_crypto_proposal "$1"
	[ -n "${crypto_proposal}" ] && ipsec_xappend " esp=$crypto_proposal"
	[ -n "${ike_proposal}" ] && ipsec_xappend " ike=$ike_proposal"
	}

	config_tunnel() {
	config_conn "$1"

	# Specific for the tunnel part
	ipsec_xappend " type=tunnel"
	}

	config_transport() {
	config_conn "$1"

	# Specific for the transport part
	ipsec_xappend " type=transport"
	}

	config_remote() {
	local enabled
	local gateway
	local pre_shared_key
	local auth_method

	config_name=$1

	config_get_bool enabled "$1" enabled 0
	[ $enabled -eq 0 ] && return

	config_get gateway "$1" gateway
	config_get pre_shared_key "$1" pre_shared_key
	config_get auth_method "$1" authentication_method
	config_get local_identifier "$1" local_identifier ""
	config_get remote_identifier "$1" remote_identifier ""

	[ "$gateway" = "any" ] && remote_gateway="%any" \|\| remote_gateway="$gateway"

	[ -z "$local_identifier" ] && {
	local ipdest

	[ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" \|\| ipdest="$remote_gateway"
	local_gateway=$(ip -o route get "$ipdest" \| awk '/ src / { print gensub(/^.* src ([^ ]) .$/, "\\1", "g"); }')
	}

	[ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " \|\| secret_xappend -n "$local_gateway "
	[ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " \|\| secret_xappend -n "$remote_gateway "

	secret_xappend ": PSK \"$pre_shared_key\""

	set_crypto_proposal "$1"
	ike_proposal="$crypto_proposal"

	config_list_foreach "$1" tunnel config_tunnel

	config_list_foreach "$1" transport config_transport

	ipsec_xappend ""
	}

	do_preamble() {
	ipsec_xappend "# generated by /etc/init.d/ipsec"
	ipsec_xappend "version 2"
	ipsec_xappend ""

	secret_xappend "# generated by /etc/init.d/ipsec"
	}

	config_ipsec() {
	local debug
	local rtinstall_enabled
	local routing_tables_ignored
	local routing_table
	local routing_table_id
	local interface
	local device_list

	ipsec_reset
	secret_reset
	swan_reset

	do_preamble

	config_get debug "$1" debug 0
	config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
	[ $rtinstall_enabled -eq 1 ] && install_routes=yes \|\| install_routes=no

	# prepare extra charon config option ignore_routing_tables
	for routing_table in $(config_get "$1" "ignore_routing_tables"); do
	if [ "$routing_table" -ge 0 ] 2>/dev/null; then
	routing_table_id=$routing_table
	else
	routing_table_id=$(sed -n '/[ \t][0-9]\+[ \t]\+'$routing_table'[ \t]$/s/[ \t]\([0-9]\+\)./\1/p' /etc/iproute2/rt_tables)
	fi

	[ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
	done

	local interface_list=$(config_get "$1" "interface")
	if [ -z "$interface_list" ]; then
	WAIT_FOR_INTF=0
	else
	for interface in $interface_list; do
	network_get_device device $interface
	[ -n "$device" ] && append device_list "$device" ","
	done
	[ -n "$device_list" ] && WAIT_FOR_INTF=0 \|\| WAIT_FOR_INTF=1
	fi

	swan_xappend "# generated by /etc/init.d/ipsec"
	swan_xappend "charon {"
	swan_xappend " load_modular = yes"
	swan_xappend " install_routes = $install_routes"
	[ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored"
	[ -n "$device_list" ] && swan_xappend " interfaces_use = $device_list"
	swan_xappend " plugins {"
	swan_xappend " include /etc/strongswan.d/charon/*.conf"
	swan_xappend " }"
	swan_xappend " syslog {"
	swan_xappend " identifier = ipsec"
	swan_xappend " daemon {"
	swan_xappend " default = $debug"
	swan_xappend " }"
	swan_xappend " }"
	swan_xappend "}"
	}

	prepare_env() {
	mkdir -p /var/ipsec
	config_load ipsec
	config_foreach config_ipsec ipsec
	config_foreach config_remote remote
	}

	service_running() {
	ipsec status > /dev/null 2>&1
	}

	reload_service() {
	running && {
	prepare_env
	[ $WAIT_FOR_INTF -eq 0 ] && {
	ipsec rereadall
	ipsec reload
	return
	}
	}

	start
	}

	stop_service() {
	ipsec_reset
	swan_reset
	secret_reset
	}

	check_ipsec_interface() {
	local intf

	for intf in $(config_get "$1" interface); do
	procd_add_interface_trigger "interface.*" "$intf" /etc/init.d/ipsec reload
	done
	}

	service_triggers() {
	procd_add_reload_trigger "ipsec"
	config load "ipsec"
	config_foreach check_ipsec_interface ipsec
	}

	start_service() {
	prepare_env

	[ $WAIT_FOR_INTF -eq 1 ] && return

	procd_open_instance

	procd_set_param command $PROG --daemon charon --nofork

	procd_set_param file $IPSEC_CONN_FILE
	procd_append_param file $IPSEC_SECRETS_FILE
	procd_append_param file $STRONGSWAN_CONF_FILE
	procd_append_param file /etc/strongswan.d/*.conf
	procd_append_param file /etc/strongswan.d/charon/*.conf

	procd_set_param respawn

	procd_close_instance
	}