smeserver-libreswan/contribs9/smeserver-libreswan-add-debug-key.patch

diff -ruN smeserver-libreswan-0.5.old/createlinks smeserver-libreswan-0.5/createlinks
--- smeserver-libreswan-0.5.old/createlinks     2016-03-24 17:00:47.283000614 +0100
+++ smeserver-libreswan-0.5/createlinks 2016-03-24 17:01:12.827000640 +0100
@@ -13,6 +13,7 @@
        /etc/ipsec.d/ipsec.conf
        /etc/ipsec.d/ipsec.secrets
        /etc/rc.d/init.d/masq
+       /etc/syctl.conf
     ))
 {
     templates2events("$_", qw(
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/debug
--- smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug  1970-01-01 01:00:00.000000000 +0100
+++ smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/debug      2016-03-24 17:01:12.826000654 +0100
@@ -0,0 +1 @@
+none
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update
--- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update    2016-03-24 17:00:47.283000614 +0100
+++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update        2016-03-24 17:01:12.826000654 +0100
@@ -49,7 +49,14 @@
 
     # First set ipsec access to private which disables firewall rule
     # Is this the correct syntax - what about die ?
-    $configDB->set_prop( $dbKey, 'access', 'private' );
+    # This is problematic as masq templates are already expanded and may be wrong
+
+    # Make sure access = private
+    # No point in this unless we expand the masq template again
+    
+    #unless ( $ipsec_access eq 'private' ) {
+    #    $configDB->set_prop( $dbKey, 'access', 'private' );
+    #}
 
     my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
     die("Ipsec Error - Unable to launch ipsec stop : $!\n")
@@ -57,7 +64,7 @@
       if not defined $myStopConnection;
     die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
 
-    print "Ipsec Information - Enable Reverse Path Filtering";
+    print "Ipsec Information - reset redirects";
     resetRedirects();
 
     exit 0;
@@ -68,9 +75,11 @@
 if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
 
     # Make sure access = public
-    unless ( $ipsec_access eq 'public' ) {
-        $configDB->set_prop( $dbKey, 'access', 'public' );
-    }
+    # No point in this unless we expand the masq template again
+    
+    #unless ( $ipsec_access eq 'public' ) {
+    #    $configDB->set_prop( $dbKey, 'access', 'public' );
+    #}
 
     my $status = (`ps ax | grep -v grep | grep pluto`);
 
@@ -96,7 +105,6 @@
             my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
 
             # Lets check the last state and if it doesn't exist set it disabled
-
             if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
                 my $previpsecstatus = "disabled";
                 $ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
@@ -108,7 +116,6 @@
             print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
 
             # Lets reread secrets anyway
-
             print "Ipsec Information - Restart - ReReading Secrets\n";
             my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
 
@@ -122,19 +129,19 @@
                  && ( $ipsecstatus eq "enabled" ) ) {
 
                 # Restart
-
                 print "Ipsec Information - Restarting connection - $ipsecprop\n";
 
                 # Have to use system here as replace usually returns 1280
+                # Replace just rereads the config and does --delete --add
                 system("/usr/sbin/ipsec auto --replace $ipsecprop");
                 print "Ipsec Information - Restart system - replace return code: $?\n";
 
-                # If connection -= start then....
+                # If connection = start then bring it up
                 if ( $connection eq 'start' ) {
                     print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
 
+                    # If it is start rather than add we try and force it to come up
                     startConnection($ipsecprop);
-
                     print "Ipsec Information - En - En auto --up\n";
                     print "Ipsec Information - Restart system - up return code: $?\n";
                 }
@@ -149,24 +156,21 @@
                     && ( $ipsecstatus eq "disabled" ) ) {
 
                 # Stop
-
                 print "Ipsec Information - Stop connection - $ipsecprop\n";
-
                 stopConnection($ipsecprop);
 
                 # Set Previous status
                 changeState( $dbKey, $ipsecstatus );
             }
 
+            # If status was disabled and now enabled then start it
             elsif (    ( $previpsecstatus eq "disabled" )
                     && ( $ipsecstatus eq "enabled" ) ) {
 
                 # Start
-                # Set Previous status
-
                 print "Enabling connection $ipsecprop\n";
 
-                # Have to use system here as replace usually return 1280
+                # Have to use system here as replace usually returns 1280 and not 0
                 system("/usr/sbin/ipsec auto --replace $ipsecprop");
                 print "Ipsec Information - Restart system - return code: $?\n";
 
@@ -183,25 +187,24 @@
                     #or die "exec failed!";
                 }
 
+                # Set Previous status
                 changeState( $ipsecprop, $ipsecstatus );
             }
 
+            # If status was enabled and now disabled then stop it
             elsif (    ( $previpsecstatus eq "enabled" )
                     && ( $ipsecstatus eq "disabled" ) ) {
 
                 # Stop and remove - do we need to  ?
-
                 print "Ipsec Information - Stopping connection $ipsecprop\n ";
                 stopConnection($ipsecprop);
 
                 # Set Previous status
                 changeState( $ipsecprop, $ipsecstatus );
-
             }
 
+            # Should never be here as it means the statuses are other than enabled or disabled
             else {
-
-                # Can't be here as it means the statuses are other than enabled or disabled
                 print "Ipsec Error - Something went wrong with ipsec connection status\n";
             }
 
@@ -212,15 +215,14 @@
     # If it isn't running then start it up
     # Auto connections start themselves. Added connections wait
     else {
-
         print "Ipsec Information - Disable Reverse Path Filtering\n";
-
         setRedirects();
 
         # Make sure access = public
         unless ( $ipsec_access eq 'public' ) {
             $configDB->set_prop( $dbKey, 'access', 'public' );
         }
+
         print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
         my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
         die("Ipsec Error - Unable to launch ipsec start : $!\n ")
@@ -258,13 +260,12 @@
 
     # Big warning - this is a potential security issue
     # Make sure you read and understand what happens !
-
     # If I knew which specific interfaces to change we could reduce the lines here
     system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
     system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
-      
+
     system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
     system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
@@ -286,8 +287,9 @@
 
 sub resetRedirects {
 
-    #    system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
-    # This should reset back to defaults
+    #  /etc/syctl.conf is expanded on ipsec-update
+    # This should reload the file - if ipsec is disabled it should reset to defaults
+    # If ipsec is enabled it should disable rp_filtering
     system("/sbin/sysctl -p") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
 }
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup       2016-03-24 17:00:47.283000614 +0100
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup   2016-03-24 17:01:12.827000640 +0100
@@ -23,12 +23,13 @@
   my $dbKey = 'ipsec';
 
   # Generic setup file
-
+  my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
+  
 # A standard config is included in the RPM but we need to generate a new one so we can modify settings
 
   $OUT .= "config setup\n";
   $OUT .= "    protostack=netkey\n";
-  $OUT .= "    #plutodebug=none\n";
+  $OUT .= "    plutodebug=$debugstatus\n";
   $OUT .= "    #klipsdebug=none\n";
   $OUT .= "    plutostderrlog=/var/log/pluto/pluto.log\n";
   $OUT .= "    dumpdir=/var/run/pluto/\n";
1	reetspetit	1.1	diff -ruN smeserver-libreswan-0.5.old/createlinks smeserver-libreswan-0.5/createlinks
2			--- smeserver-libreswan-0.5.old/createlinks 2016-03-24 17:00:47.283000614 +0100
3			+++ smeserver-libreswan-0.5/createlinks 2016-03-24 17:01:12.827000640 +0100
4			@@ -13,6 +13,7 @@
5			/etc/ipsec.d/ipsec.conf
6			/etc/ipsec.d/ipsec.secrets
7			/etc/rc.d/init.d/masq
8			+ /etc/syctl.conf
9			))
10			{
11			templates2events("$_", qw(
12			diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/debug
13			--- smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug 1970-01-01 01:00:00.000000000 +0100
14			+++ smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/debug 2016-03-24 17:01:12.826000654 +0100
15			@@ -0,0 +1 @@
16			+none
17			diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update
18			--- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 17:00:47.283000614 +0100
19			+++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 17:01:12.826000654 +0100
20			@@ -49,7 +49,14 @@
21
22			# First set ipsec access to private which disables firewall rule
23			# Is this the correct syntax - what about die ?
24			- $configDB->set_prop( $dbKey, 'access', 'private' );
25			+ # This is problematic as masq templates are already expanded and may be wrong
26			+
27			+ # Make sure access = private
28			+ # No point in this unless we expand the masq template again
29			+
30			+ #unless ( $ipsec_access eq 'private' ) {
31			+ # $configDB->set_prop( $dbKey, 'access', 'private' );
32			+ #}
33
34			my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
35			die("Ipsec Error - Unable to launch ipsec stop : $!\n")
36			@@ -57,7 +64,7 @@
37			if not defined $myStopConnection;
38			die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
39
40			- print "Ipsec Information - Enable Reverse Path Filtering";
41			+ print "Ipsec Information - reset redirects";
42			resetRedirects();
43
44			exit 0;
45			@@ -68,9 +75,11 @@
46			if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
47
48			# Make sure access = public
49			- unless ( $ipsec_access eq 'public' ) {
50			- $configDB->set_prop( $dbKey, 'access', 'public' );
51			- }
52			+ # No point in this unless we expand the masq template again
53			+
54			+ #unless ( $ipsec_access eq 'public' ) {
55			+ # $configDB->set_prop( $dbKey, 'access', 'public' );
56			+ #}
57
58			my $status = (`ps ax \| grep -v grep \| grep pluto`);
59
60			@@ -96,7 +105,6 @@
61			my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) \|\| '';
62
63			# Lets check the last state and if it doesn't exist set it disabled
64			-
65			if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
66			my $previpsecstatus = "disabled";
67			$ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
68			@@ -108,7 +116,6 @@
69			print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
70
71			# Lets reread secrets anyway
72			-
73			print "Ipsec Information - Restart - ReReading Secrets\n";
74			my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
75
76			@@ -122,19 +129,19 @@
77			&& ( $ipsecstatus eq "enabled" ) ) {
78
79			# Restart
80			-
81			print "Ipsec Information - Restarting connection - $ipsecprop\n";
82
83			# Have to use system here as replace usually returns 1280
84			+ # Replace just rereads the config and does --delete --add
85			system("/usr/sbin/ipsec auto --replace $ipsecprop");
86			print "Ipsec Information - Restart system - replace return code: $?\n";
87
88			- # If connection -= start then....
89			+ # If connection = start then bring it up
90			if ( $connection eq 'start' ) {
91			print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
92
93			+ # If it is start rather than add we try and force it to come up
94			startConnection($ipsecprop);
95			-
96			print "Ipsec Information - En - En auto --up\n";
97			print "Ipsec Information - Restart system - up return code: $?\n";
98			}
99			@@ -149,24 +156,21 @@
100			&& ( $ipsecstatus eq "disabled" ) ) {
101
102			# Stop
103			-
104			print "Ipsec Information - Stop connection - $ipsecprop\n";
105			-
106			stopConnection($ipsecprop);
107
108			# Set Previous status
109			changeState( $dbKey, $ipsecstatus );
110			}
111
112			+ # If status was disabled and now enabled then start it
113			elsif ( ( $previpsecstatus eq "disabled" )
114			&& ( $ipsecstatus eq "enabled" ) ) {
115
116			# Start
117			- # Set Previous status
118			-
119			print "Enabling connection $ipsecprop\n";
120
121			- # Have to use system here as replace usually return 1280
122			+ # Have to use system here as replace usually returns 1280 and not 0
123			system("/usr/sbin/ipsec auto --replace $ipsecprop");
124			print "Ipsec Information - Restart system - return code: $?\n";
125
126			@@ -183,25 +187,24 @@
127			#or die "exec failed!";
128			}
129
130			+ # Set Previous status
131			changeState( $ipsecprop, $ipsecstatus );
132			}
133
134			+ # If status was enabled and now disabled then stop it
135			elsif ( ( $previpsecstatus eq "enabled" )
136			&& ( $ipsecstatus eq "disabled" ) ) {
137
138			# Stop and remove - do we need to ?
139			-
140			print "Ipsec Information - Stopping connection $ipsecprop\n ";
141			stopConnection($ipsecprop);
142
143			# Set Previous status
144			changeState( $ipsecprop, $ipsecstatus );
145			-
146			}
147
148			+ # Should never be here as it means the statuses are other than enabled or disabled
149			else {
150			-
151			- # Can't be here as it means the statuses are other than enabled or disabled
152			print "Ipsec Error - Something went wrong with ipsec connection status\n";
153			}
154
155			@@ -212,15 +215,14 @@
156			# If it isn't running then start it up
157			# Auto connections start themselves. Added connections wait
158			else {
159			-
160			print "Ipsec Information - Disable Reverse Path Filtering\n";
161			-
162			setRedirects();
163
164			# Make sure access = public
165			unless ( $ipsec_access eq 'public' ) {
166			$configDB->set_prop( $dbKey, 'access', 'public' );
167			}
168			+
169			print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
170			my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
171			die("Ipsec Error - Unable to launch ipsec start : $!\n ")
172			@@ -258,13 +260,12 @@
173
174			# Big warning - this is a potential security issue
175			# Make sure you read and understand what happens !
176			-
177			# If I knew which specific interfaces to change we could reduce the lines here
178			system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
179			or die("Ipsec Error - A problem occurred with sysctl: $?");
180			system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
181			or die("Ipsec Error - A problem occurred with sysctl: $?");
182			-
183			+
184			system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
185			or die("Ipsec Error - A problem occurred with sysctl: $?");
186			system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
187			@@ -286,8 +287,9 @@
188
189			sub resetRedirects {
190
191			- # system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
192			- # This should reset back to defaults
193			+ # /etc/syctl.conf is expanded on ipsec-update
194			+ # This should reload the file - if ipsec is disabled it should reset to defaults
195			+ # If ipsec is enabled it should disable rp_filtering
196			system("/sbin/sysctl -p") == 0
197			or die("Ipsec Error - A problem occurred with sysctl: $?");
198			}
199			diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
200			--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 17:00:47.283000614 +0100
201			+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 17:01:12.827000640 +0100
202			@@ -23,12 +23,13 @@
203			my $dbKey = 'ipsec';
204
205			# Generic setup file
206			-
207			+ my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) \|\| 'none';
208			+
209			# A standard config is included in the RPM but we need to generate a new one so we can modify settings
210
211			$OUT .= "config setup\n";
212			$OUT .= " protostack=netkey\n";
213			- $OUT .= " #plutodebug=none\n";
214			+ $OUT .= " plutodebug=$debugstatus\n";
215			$OUT .= " #klipsdebug=none\n";
216			$OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n";
217			$OUT .= " dumpdir=/var/run/pluto/\n";