/[smecontribs]/rpms/smeserver-libreswan/contribs9/smeserver-libreswan-add-debug-key.patch
ViewVC logotype

Contents of /rpms/smeserver-libreswan/contribs9/smeserver-libreswan-add-debug-key.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Thu Mar 24 16:28:17 2016 UTC (8 years, 8 months ago) by reetspetit
Branch: MAIN
CVS Tags: smeserver-libreswan-0_5-20_el6_sme, smeserver-libreswan-0_5-18_el6_sme, smeserver-libreswan-0_5-19_el6_sme, smeserver-libreswan-0_5-26_el6_sme, smeserver-libreswan-0_5-23_el6_sme, smeserver-libreswan-0_5-22_el6_sme, smeserver-libreswan-0_5-31_el6_sme, smeserver-libreswan-0_5-33_el6_sme, smeserver-libreswan-0_5-25_el6_sme, smeserver-libreswan-0_5-30_el6_sme, smeserver-libreswan-0_5-32_el6_sme, smeserver-libreswan-0_5-28_el6_sme, smeserver-libreswan-0_5-27_el6_sme, smeserver-libreswan-0_5-24_el6_sme, smeserver-libreswan-0_5-29_el6_sme, smeserver-libreswan-0_5-34_el6_sme, HEAD
* Thu Mar 24 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-18.sme
- Add debug db key to /etc/ipsec.conf
- Remove setting public/private keys as they won't affect unless templates are re-expanded
- Set xfrm_larval_drop correctly

1 diff -ruN smeserver-libreswan-0.5.old/createlinks smeserver-libreswan-0.5/createlinks
2 --- smeserver-libreswan-0.5.old/createlinks 2016-03-24 17:00:47.283000614 +0100
3 +++ smeserver-libreswan-0.5/createlinks 2016-03-24 17:01:12.827000640 +0100
4 @@ -13,6 +13,7 @@
5 /etc/ipsec.d/ipsec.conf
6 /etc/ipsec.d/ipsec.secrets
7 /etc/rc.d/init.d/masq
8 + /etc/syctl.conf
9 ))
10 {
11 templates2events("$_", qw(
12 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/debug
13 --- smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug 1970-01-01 01:00:00.000000000 +0100
14 +++ smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/debug 2016-03-24 17:01:12.826000654 +0100
15 @@ -0,0 +1 @@
16 +none
17 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update
18 --- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 17:00:47.283000614 +0100
19 +++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 17:01:12.826000654 +0100
20 @@ -49,7 +49,14 @@
21
22 # First set ipsec access to private which disables firewall rule
23 # Is this the correct syntax - what about die ?
24 - $configDB->set_prop( $dbKey, 'access', 'private' );
25 + # This is problematic as masq templates are already expanded and may be wrong
26 +
27 + # Make sure access = private
28 + # No point in this unless we expand the masq template again
29 +
30 + #unless ( $ipsec_access eq 'private' ) {
31 + # $configDB->set_prop( $dbKey, 'access', 'private' );
32 + #}
33
34 my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
35 die("Ipsec Error - Unable to launch ipsec stop : $!\n")
36 @@ -57,7 +64,7 @@
37 if not defined $myStopConnection;
38 die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
39
40 - print "Ipsec Information - Enable Reverse Path Filtering";
41 + print "Ipsec Information - reset redirects";
42 resetRedirects();
43
44 exit 0;
45 @@ -68,9 +75,11 @@
46 if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
47
48 # Make sure access = public
49 - unless ( $ipsec_access eq 'public' ) {
50 - $configDB->set_prop( $dbKey, 'access', 'public' );
51 - }
52 + # No point in this unless we expand the masq template again
53 +
54 + #unless ( $ipsec_access eq 'public' ) {
55 + # $configDB->set_prop( $dbKey, 'access', 'public' );
56 + #}
57
58 my $status = (`ps ax | grep -v grep | grep pluto`);
59
60 @@ -96,7 +105,6 @@
61 my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
62
63 # Lets check the last state and if it doesn't exist set it disabled
64 -
65 if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
66 my $previpsecstatus = "disabled";
67 $ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
68 @@ -108,7 +116,6 @@
69 print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
70
71 # Lets reread secrets anyway
72 -
73 print "Ipsec Information - Restart - ReReading Secrets\n";
74 my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
75
76 @@ -122,19 +129,19 @@
77 && ( $ipsecstatus eq "enabled" ) ) {
78
79 # Restart
80 -
81 print "Ipsec Information - Restarting connection - $ipsecprop\n";
82
83 # Have to use system here as replace usually returns 1280
84 + # Replace just rereads the config and does --delete --add
85 system("/usr/sbin/ipsec auto --replace $ipsecprop");
86 print "Ipsec Information - Restart system - replace return code: $?\n";
87
88 - # If connection -= start then....
89 + # If connection = start then bring it up
90 if ( $connection eq 'start' ) {
91 print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
92
93 + # If it is start rather than add we try and force it to come up
94 startConnection($ipsecprop);
95 -
96 print "Ipsec Information - En - En auto --up\n";
97 print "Ipsec Information - Restart system - up return code: $?\n";
98 }
99 @@ -149,24 +156,21 @@
100 && ( $ipsecstatus eq "disabled" ) ) {
101
102 # Stop
103 -
104 print "Ipsec Information - Stop connection - $ipsecprop\n";
105 -
106 stopConnection($ipsecprop);
107
108 # Set Previous status
109 changeState( $dbKey, $ipsecstatus );
110 }
111
112 + # If status was disabled and now enabled then start it
113 elsif ( ( $previpsecstatus eq "disabled" )
114 && ( $ipsecstatus eq "enabled" ) ) {
115
116 # Start
117 - # Set Previous status
118 -
119 print "Enabling connection $ipsecprop\n";
120
121 - # Have to use system here as replace usually return 1280
122 + # Have to use system here as replace usually returns 1280 and not 0
123 system("/usr/sbin/ipsec auto --replace $ipsecprop");
124 print "Ipsec Information - Restart system - return code: $?\n";
125
126 @@ -183,25 +187,24 @@
127 #or die "exec failed!";
128 }
129
130 + # Set Previous status
131 changeState( $ipsecprop, $ipsecstatus );
132 }
133
134 + # If status was enabled and now disabled then stop it
135 elsif ( ( $previpsecstatus eq "enabled" )
136 && ( $ipsecstatus eq "disabled" ) ) {
137
138 # Stop and remove - do we need to ?
139 -
140 print "Ipsec Information - Stopping connection $ipsecprop\n ";
141 stopConnection($ipsecprop);
142
143 # Set Previous status
144 changeState( $ipsecprop, $ipsecstatus );
145 -
146 }
147
148 + # Should never be here as it means the statuses are other than enabled or disabled
149 else {
150 -
151 - # Can't be here as it means the statuses are other than enabled or disabled
152 print "Ipsec Error - Something went wrong with ipsec connection status\n";
153 }
154
155 @@ -212,15 +215,14 @@
156 # If it isn't running then start it up
157 # Auto connections start themselves. Added connections wait
158 else {
159 -
160 print "Ipsec Information - Disable Reverse Path Filtering\n";
161 -
162 setRedirects();
163
164 # Make sure access = public
165 unless ( $ipsec_access eq 'public' ) {
166 $configDB->set_prop( $dbKey, 'access', 'public' );
167 }
168 +
169 print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
170 my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
171 die("Ipsec Error - Unable to launch ipsec start : $!\n ")
172 @@ -258,13 +260,12 @@
173
174 # Big warning - this is a potential security issue
175 # Make sure you read and understand what happens !
176 -
177 # If I knew which specific interfaces to change we could reduce the lines here
178 system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
179 or die("Ipsec Error - A problem occurred with sysctl: $?");
180 system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
181 or die("Ipsec Error - A problem occurred with sysctl: $?");
182 -
183 +
184 system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
185 or die("Ipsec Error - A problem occurred with sysctl: $?");
186 system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
187 @@ -286,8 +287,9 @@
188
189 sub resetRedirects {
190
191 - # system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
192 - # This should reset back to defaults
193 + # /etc/syctl.conf is expanded on ipsec-update
194 + # This should reload the file - if ipsec is disabled it should reset to defaults
195 + # If ipsec is enabled it should disable rp_filtering
196 system("/sbin/sysctl -p") == 0
197 or die("Ipsec Error - A problem occurred with sysctl: $?");
198 }
199 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
200 --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 17:00:47.283000614 +0100
201 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 17:01:12.827000640 +0100
202 @@ -23,12 +23,13 @@
203 my $dbKey = 'ipsec';
204
205 # Generic setup file
206 -
207 + my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
208 +
209 # A standard config is included in the RPM but we need to generate a new one so we can modify settings
210
211 $OUT .= "config setup\n";
212 $OUT .= " protostack=netkey\n";
213 - $OUT .= " #plutodebug=none\n";
214 + $OUT .= " plutodebug=$debugstatus\n";
215 $OUT .= " #klipsdebug=none\n";
216 $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n";
217 $OUT .= " dumpdir=/var/run/pluto/\n";

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed