smeserver-libreswan/contribs9/smeserver-libreswan-add-debug-key.patch

diff -ruN smeserver-libreswan-0.5.old/createlinks smeserver-libreswan-0.5/createlinks
--- smeserver-libreswan-0.5.old/createlinks     2016-03-24 17:00:47.283000614 +0100
+++ smeserver-libreswan-0.5/createlinks 2016-03-24 17:01:12.827000640 +0100
@@ -13,6 +13,7 @@
        /etc/ipsec.d/ipsec.conf
        /etc/ipsec.d/ipsec.secrets
        /etc/rc.d/init.d/masq
+       /etc/syctl.conf
     ))
 {
     templates2events("$_", qw(
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/debug
--- smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug  1970-01-01 01:00:00.000000000 +0100
+++ smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/debug      2016-03-24 17:01:12.826000654 +0100
@@ -0,0 +1 @@
+none
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update
--- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update    2016-03-24 17:00:47.283000614 +0100
+++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update        2016-03-24 17:01:12.826000654 +0100
@@ -49,7 +49,14 @@
 
     # First set ipsec access to private which disables firewall rule
     # Is this the correct syntax - what about die ?
-    $configDB->set_prop( $dbKey, 'access', 'private' );
+    # This is problematic as masq templates are already expanded and may be wrong
+
+    # Make sure access = private
+    # No point in this unless we expand the masq template again
+    
+    #unless ( $ipsec_access eq 'private' ) {
+    #    $configDB->set_prop( $dbKey, 'access', 'private' );
+    #}
 
     my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
     die("Ipsec Error - Unable to launch ipsec stop : $!\n")
@@ -57,7 +64,7 @@
       if not defined $myStopConnection;
     die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
 
-    print "Ipsec Information - Enable Reverse Path Filtering";
+    print "Ipsec Information - reset redirects";
     resetRedirects();
 
     exit 0;
@@ -68,9 +75,11 @@
 if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
 
     # Make sure access = public
-    unless ( $ipsec_access eq 'public' ) {
-        $configDB->set_prop( $dbKey, 'access', 'public' );
-    }
+    # No point in this unless we expand the masq template again
+    
+    #unless ( $ipsec_access eq 'public' ) {
+    #    $configDB->set_prop( $dbKey, 'access', 'public' );
+    #}
 
     my $status = (`ps ax | grep -v grep | grep pluto`);
 
@@ -96,7 +105,6 @@
             my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
 
             # Lets check the last state and if it doesn't exist set it disabled
-
             if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
                 my $previpsecstatus = "disabled";
                 $ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
@@ -108,7 +116,6 @@
             print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
 
             # Lets reread secrets anyway
-
             print "Ipsec Information - Restart - ReReading Secrets\n";
             my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
 
@@ -122,19 +129,19 @@
                  && ( $ipsecstatus eq "enabled" ) ) {
 
                 # Restart
-
                 print "Ipsec Information - Restarting connection - $ipsecprop\n";
 
                 # Have to use system here as replace usually returns 1280
+                # Replace just rereads the config and does --delete --add
                 system("/usr/sbin/ipsec auto --replace $ipsecprop");
                 print "Ipsec Information - Restart system - replace return code: $?\n";
 
-                # If connection -= start then....
+                # If connection = start then bring it up
                 if ( $connection eq 'start' ) {
                     print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
 
+                    # If it is start rather than add we try and force it to come up
                     startConnection($ipsecprop);
-
                     print "Ipsec Information - En - En auto --up\n";
                     print "Ipsec Information - Restart system - up return code: $?\n";
                 }
@@ -149,24 +156,21 @@
                     && ( $ipsecstatus eq "disabled" ) ) {
 
                 # Stop
-
                 print "Ipsec Information - Stop connection - $ipsecprop\n";
-
                 stopConnection($ipsecprop);
 
                 # Set Previous status
                 changeState( $dbKey, $ipsecstatus );
             }
 
+            # If status was disabled and now enabled then start it
             elsif (    ( $previpsecstatus eq "disabled" )
                     && ( $ipsecstatus eq "enabled" ) ) {
 
                 # Start
-                # Set Previous status
-
                 print "Enabling connection $ipsecprop\n";
 
-                # Have to use system here as replace usually return 1280
+                # Have to use system here as replace usually returns 1280 and not 0
                 system("/usr/sbin/ipsec auto --replace $ipsecprop");
                 print "Ipsec Information - Restart system - return code: $?\n";
 
@@ -183,25 +187,24 @@
                     #or die "exec failed!";
                 }
 
+                # Set Previous status
                 changeState( $ipsecprop, $ipsecstatus );
             }
 
+            # If status was enabled and now disabled then stop it
             elsif (    ( $previpsecstatus eq "enabled" )
                     && ( $ipsecstatus eq "disabled" ) ) {
 
                 # Stop and remove - do we need to  ?
-
                 print "Ipsec Information - Stopping connection $ipsecprop\n ";
                 stopConnection($ipsecprop);
 
                 # Set Previous status
                 changeState( $ipsecprop, $ipsecstatus );
-
             }
 
+            # Should never be here as it means the statuses are other than enabled or disabled
             else {
-
-                # Can't be here as it means the statuses are other than enabled or disabled
                 print "Ipsec Error - Something went wrong with ipsec connection status\n";
             }
 
@@ -212,15 +215,14 @@
     # If it isn't running then start it up
     # Auto connections start themselves. Added connections wait
     else {
-
         print "Ipsec Information - Disable Reverse Path Filtering\n";
-
         setRedirects();
 
         # Make sure access = public
         unless ( $ipsec_access eq 'public' ) {
             $configDB->set_prop( $dbKey, 'access', 'public' );
         }
+
         print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
         my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
         die("Ipsec Error - Unable to launch ipsec start : $!\n ")
@@ -258,13 +260,12 @@
 
     # Big warning - this is a potential security issue
     # Make sure you read and understand what happens !
-
     # If I knew which specific interfaces to change we could reduce the lines here
     system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
     system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
-      
+
     system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
     system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
@@ -286,8 +287,9 @@
 
 sub resetRedirects {
 
-    #    system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
-    # This should reset back to defaults
+    #  /etc/syctl.conf is expanded on ipsec-update
+    # This should reload the file - if ipsec is disabled it should reset to defaults
+    # If ipsec is enabled it should disable rp_filtering
     system("/sbin/sysctl -p") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
 }
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup       2016-03-24 17:00:47.283000614 +0100
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup   2016-03-24 17:01:12.827000640 +0100
@@ -23,12 +23,13 @@
   my $dbKey = 'ipsec';
 
   # Generic setup file
-
+  my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
+  
 # A standard config is included in the RPM but we need to generate a new one so we can modify settings
 
   $OUT .= "config setup\n";
   $OUT .= "    protostack=netkey\n";
-  $OUT .= "    #plutodebug=none\n";
+  $OUT .= "    plutodebug=$debugstatus\n";
   $OUT .= "    #klipsdebug=none\n";
   $OUT .= "    plutostderrlog=/var/log/pluto/pluto.log\n";
   $OUT .= "    dumpdir=/var/run/pluto/\n";
1	diff -ruN smeserver-libreswan-0.5.old/createlinks smeserver-libreswan-0.5/createlinks
2	--- smeserver-libreswan-0.5.old/createlinks 2016-03-24 17:00:47.283000614 +0100
3	+++ smeserver-libreswan-0.5/createlinks 2016-03-24 17:01:12.827000640 +0100
4	@@ -13,6 +13,7 @@
5	/etc/ipsec.d/ipsec.conf
6	/etc/ipsec.d/ipsec.secrets
7	/etc/rc.d/init.d/masq
8	+ /etc/syctl.conf
9	))
10	{
11	templates2events("$_", qw(
12	diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/debug
13	--- smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug 1970-01-01 01:00:00.000000000 +0100
14	+++ smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/debug 2016-03-24 17:01:12.826000654 +0100
15	@@ -0,0 +1 @@
16	+none
17	diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update
18	--- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 17:00:47.283000614 +0100
19	+++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 17:01:12.826000654 +0100
20	@@ -49,7 +49,14 @@
21
22	# First set ipsec access to private which disables firewall rule
23	# Is this the correct syntax - what about die ?
24	- $configDB->set_prop( $dbKey, 'access', 'private' );
25	+ # This is problematic as masq templates are already expanded and may be wrong
26	+
27	+ # Make sure access = private
28	+ # No point in this unless we expand the masq template again
29	+
30	+ #unless ( $ipsec_access eq 'private' ) {
31	+ # $configDB->set_prop( $dbKey, 'access', 'private' );
32	+ #}
33
34	my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
35	die("Ipsec Error - Unable to launch ipsec stop : $!\n")
36	@@ -57,7 +64,7 @@
37	if not defined $myStopConnection;
38	die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
39
40	- print "Ipsec Information - Enable Reverse Path Filtering";
41	+ print "Ipsec Information - reset redirects";
42	resetRedirects();
43
44	exit 0;
45	@@ -68,9 +75,11 @@
46	if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
47
48	# Make sure access = public
49	- unless ( $ipsec_access eq 'public' ) {
50	- $configDB->set_prop( $dbKey, 'access', 'public' );
51	- }
52	+ # No point in this unless we expand the masq template again
53	+
54	+ #unless ( $ipsec_access eq 'public' ) {
55	+ # $configDB->set_prop( $dbKey, 'access', 'public' );
56	+ #}
57
58	my $status = (`ps ax \| grep -v grep \| grep pluto`);
59
60	@@ -96,7 +105,6 @@
61	my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) \|\| '';
62
63	# Lets check the last state and if it doesn't exist set it disabled
64	-
65	if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
66	my $previpsecstatus = "disabled";
67	$ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
68	@@ -108,7 +116,6 @@
69	print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
70
71	# Lets reread secrets anyway
72	-
73	print "Ipsec Information - Restart - ReReading Secrets\n";
74	my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
75
76	@@ -122,19 +129,19 @@
77	&& ( $ipsecstatus eq "enabled" ) ) {
78
79	# Restart
80	-
81	print "Ipsec Information - Restarting connection - $ipsecprop\n";
82
83	# Have to use system here as replace usually returns 1280
84	+ # Replace just rereads the config and does --delete --add
85	system("/usr/sbin/ipsec auto --replace $ipsecprop");
86	print "Ipsec Information - Restart system - replace return code: $?\n";
87
88	- # If connection -= start then....
89	+ # If connection = start then bring it up
90	if ( $connection eq 'start' ) {
91	print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
92
93	+ # If it is start rather than add we try and force it to come up
94	startConnection($ipsecprop);
95	-
96	print "Ipsec Information - En - En auto --up\n";
97	print "Ipsec Information - Restart system - up return code: $?\n";
98	}
99	@@ -149,24 +156,21 @@
100	&& ( $ipsecstatus eq "disabled" ) ) {
101
102	# Stop
103	-
104	print "Ipsec Information - Stop connection - $ipsecprop\n";
105	-
106	stopConnection($ipsecprop);
107
108	# Set Previous status
109	changeState( $dbKey, $ipsecstatus );
110	}
111
112	+ # If status was disabled and now enabled then start it
113	elsif ( ( $previpsecstatus eq "disabled" )
114	&& ( $ipsecstatus eq "enabled" ) ) {
115
116	# Start
117	- # Set Previous status
118	-
119	print "Enabling connection $ipsecprop\n";
120
121	- # Have to use system here as replace usually return 1280
122	+ # Have to use system here as replace usually returns 1280 and not 0
123	system("/usr/sbin/ipsec auto --replace $ipsecprop");
124	print "Ipsec Information - Restart system - return code: $?\n";
125
126	@@ -183,25 +187,24 @@
127	#or die "exec failed!";
128	}
129
130	+ # Set Previous status
131	changeState( $ipsecprop, $ipsecstatus );
132	}
133
134	+ # If status was enabled and now disabled then stop it
135	elsif ( ( $previpsecstatus eq "enabled" )
136	&& ( $ipsecstatus eq "disabled" ) ) {
137
138	# Stop and remove - do we need to ?
139	-
140	print "Ipsec Information - Stopping connection $ipsecprop\n ";
141	stopConnection($ipsecprop);
142
143	# Set Previous status
144	changeState( $ipsecprop, $ipsecstatus );
145	-
146	}
147
148	+ # Should never be here as it means the statuses are other than enabled or disabled
149	else {
150	-
151	- # Can't be here as it means the statuses are other than enabled or disabled
152	print "Ipsec Error - Something went wrong with ipsec connection status\n";
153	}
154
155	@@ -212,15 +215,14 @@
156	# If it isn't running then start it up
157	# Auto connections start themselves. Added connections wait
158	else {
159	-
160	print "Ipsec Information - Disable Reverse Path Filtering\n";
161	-
162	setRedirects();
163
164	# Make sure access = public
165	unless ( $ipsec_access eq 'public' ) {
166	$configDB->set_prop( $dbKey, 'access', 'public' );
167	}
168	+
169	print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
170	my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
171	die("Ipsec Error - Unable to launch ipsec start : $!\n ")
172	@@ -258,13 +260,12 @@
173
174	# Big warning - this is a potential security issue
175	# Make sure you read and understand what happens !
176	-
177	# If I knew which specific interfaces to change we could reduce the lines here
178	system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
179	or die("Ipsec Error - A problem occurred with sysctl: $?");
180	system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
181	or die("Ipsec Error - A problem occurred with sysctl: $?");
182	-
183	+
184	system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
185	or die("Ipsec Error - A problem occurred with sysctl: $?");
186	system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
187	@@ -286,8 +287,9 @@
188
189	sub resetRedirects {
190
191	- # system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
192	- # This should reset back to defaults
193	+ # /etc/syctl.conf is expanded on ipsec-update
194	+ # This should reload the file - if ipsec is disabled it should reset to defaults
195	+ # If ipsec is enabled it should disable rp_filtering
196	system("/sbin/sysctl -p") == 0
197	or die("Ipsec Error - A problem occurred with sysctl: $?");
198	}
199	diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
200	--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 17:00:47.283000614 +0100
201	+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 17:01:12.827000640 +0100
202	@@ -23,12 +23,13 @@
203	my $dbKey = 'ipsec';
204
205	# Generic setup file
206	-
207	+ my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) \|\| 'none';
208	+
209	# A standard config is included in the RPM but we need to generate a new one so we can modify settings
210
211	$OUT .= "config setup\n";
212	$OUT .= " protostack=netkey\n";
213	- $OUT .= " #plutodebug=none\n";
214	+ $OUT .= " plutodebug=$debugstatus\n";
215	$OUT .= " #klipsdebug=none\n";
216	$OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n";
217	$OUT .= " dumpdir=/var/run/pluto/\n";