1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
/* $Id: _updown.c,v 1.1 2005/07/21 20:42:57 ken Exp $
*
* THIS IS OBSOLETE - It is no longer functionally identical to the scripts
*
*
* This program is replacement for /usr/local/lib/ipsec/_updown script
* and its functionality is identical.
*
* Installation:
* 1. Compile with "gcc -O2 -o updown updown.c"
* 2. Install "cp -f updown /usr/local/lib/ipsec"
* 3. Update your configs so that they include leftupdown and rightupdown
* keywords, e.g.:
*
* conn test
* ...
* leftupdown=/usr/local/lib/ipsec/updown
* rightupdown=/usr/local/lib/ipsec/updown
* ...
*
* Characteristics:
* - written in C, thus faster and less resource intensive than shell script
* - uses iptables
* - doesn't yet support opportunistic encryption
*
* Written by Pawel Krawczyk <kravietz at aba.krakow.pl>
*
* License: GPLv2.
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
char *load(const char *what);
int my_system(char *bin, char **argv);
int main(void) {
char *pluto_verb;
char *pluto_peer_client;
char *pluto_interface;
char *pluto_me;
char *pluto_my_client;
char *argv[20];
int status;
int testing = 0;
if( load("UPDOWN_TESTING") == NULL) {
chdir("/etc");
} else
testing = 1;
/* Wczytujemy zmienne przekazane nam przez Pluto */
pluto_verb = load("PLUTO_VERB");
if(pluto_verb == NULL) {
fprintf(stderr, "PLUTO_VERB not set\n");
return 1;
}
pluto_peer_client = load("PLUTO_PEER_CLIENT");
if(pluto_peer_client == NULL) {
fprintf(stderr, "PLUTO_PEER_CLIENT not set\n");
return 1;
}
pluto_interface = load("PLUTO_INTERFACE");
if(pluto_interface == NULL) {
fprintf(stderr, "PLUTO_INTERFACE not set\n");
return 1;
}
pluto_me = load("PLUTO_ME");
if(pluto_me == NULL) {
fprintf(stderr, "PLUTO_ME not set\n");
return 1;
}
pluto_my_client = load("PLUTO_MY_CLIENT");
if(pluto_my_client == NULL) {
fprintf(stderr, "PLUTO_MY_CLIENT not set\n");
return 1;
}
/* Dodajemy lub usuwamy routing w zaleznosci od
* polecenia przekazanego w PLUTO_VERB
*/
if(strncmp(pluto_verb, "route-", 6) == 0 ||
strncmp(pluto_verb, "up-", 3) == 0) {
argv[0]="/bin/ip"; argv[1]="route"; argv[2]="add";
argv[3]=pluto_peer_client;
argv[4]="dev"; argv[5]=pluto_interface;
argv[6]="via"; argv[7]=pluto_me;
argv[8]=0;
if(!testing) {
status = my_system("/bin/ip", argv);
if(status != 0) return status;
}
else
printf("route add %s\n", pluto_peer_client);
}
if(strncmp(pluto_verb, "unroute-", 8) == 0 ||
strncmp(pluto_verb, "down-", 5) == 0) {
argv[0]="/bin/ip"; argv[1]="route"; argv[2]="del";
argv[3]=pluto_peer_client; argv[4]="dev";
argv[5]=pluto_interface; argv[6]="via"; argv[7]=pluto_me;
argv[8]=0;
if(!testing) {
status = my_system("/bin/ip", argv);
if(status != 0) return status;
}
else
printf("route del %s\n", pluto_peer_client);
}
if(strncmp(pluto_verb, "prepare-", 8) == 0) {
argv[0]="/bin/ip"; argv[1]="route"; argv[2]="del";
argv[3]=pluto_peer_client; argv[4]=0;
if(!testing) {
/* We ignore any errors from this command,
* as it's used to clear up any routes that
* may or may not be present.
*/
int null = open("/dev/null", O_WRONLY);
dup2(null, 1); dup2(null, 2);
status = my_system("/bin/ip", argv);
}
else
printf("prepare del %s\n", pluto_my_client);
}
return 0;
}
char *load(const char *what) {
char *tmp, *tmp1;
tmp1 = getenv(what);
if(tmp1 == NULL)
return NULL;
tmp = strchr(tmp1, '=');
if(tmp != NULL) {
tmp++;
tmp1 = tmp;
}
return tmp1;
}
int my_system(char *bin, char **argv) {
int status, pid;
pid = vfork();
if(pid == -1)
return 1;
if(pid == 0) {
execv(bin, argv);
return 127;
}
do {
if(waitpid(pid, &status, 0) == -1) {
if(errno != EINTR)
return 1;
} else
return status;
} while(1);
}
|
