/[smecontribs]/rpms/smeserver-libreswan/contribs9/smeserver-libreswan-move-logfile.patch
ViewVC logotype

Annotation of /rpms/smeserver-libreswan/contribs9/smeserver-libreswan-move-logfile.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Tue Mar 22 17:28:08 2016 UTC (8 years, 8 months ago) by reetspetit
Branch: MAIN
CVS Tags: smeserver-libreswan-0_5-20_el6_sme, smeserver-libreswan-0_5-18_el6_sme, smeserver-libreswan-0_5-19_el6_sme, smeserver-libreswan-0_5-26_el6_sme, smeserver-libreswan-0_5-23_el6_sme, smeserver-libreswan-0_5-22_el6_sme, smeserver-libreswan-0_5-31_el6_sme, smeserver-libreswan-0_5-33_el6_sme, smeserver-libreswan-0_5-25_el6_sme, smeserver-libreswan-0_5-17_el6_sme, smeserver-libreswan-0_5-30_el6_sme, smeserver-libreswan-0_5-32_el6_sme, smeserver-libreswan-0_5-28_el6_sme, smeserver-libreswan-0_5-27_el6_sme, smeserver-libreswan-0_5-24_el6_sme, smeserver-libreswan-0_5-29_el6_sme, smeserver-libreswan-0_5-34_el6_sme, HEAD
* Tue Mar 22 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-17.sme
- Move pluto.log to /var/log/pluto
- bump libreswan requires version to 3.16
- regenerate masq template on ipsec-update
- change wiki location page
- add sysctl.conf template
- modify masq templates for ipsec status enabled/disabled
- only load ipsec.conf rather than *.conf to avoid loading v6neighbor-hole.conf

1 reetspetit 1.1 diff -ruN smeserver-libreswan-0.5.old/createlinks smeserver-libreswan-0.5/createlinks
2     --- smeserver-libreswan-0.5.old/createlinks 2016-02-17 14:19:42.000000000 +0100
3     +++ smeserver-libreswan-0.5/createlinks 2016-03-22 18:26:42.624000613 +0100
4     @@ -12,6 +12,7 @@
5     /etc/ipsec.secrets
6     /etc/ipsec.d/ipsec.conf
7     /etc/ipsec.d/ipsec.secrets
8     + /etc/rc.d/init.d/masq
9     ))
10     {
11     templates2events("$_", qw(
12     diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update
13     --- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update 2016-02-17 14:19:42.000000000 +0100
14     +++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update 2016-03-22 18:26:42.623000615 +0100
15     @@ -43,7 +43,7 @@
16     if ( $configDB->get_prop( $dbKey, 'status' ) eq 'disabled' ) {
17    
18     # Do we check if it is already stopped ?
19     - # For now we stop it regradless
20     + # For now we stop it regardless
21    
22     print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
23    
24     @@ -264,16 +264,11 @@
25     or die("Ipsec Error - A problem occurred with sysctl: $?");
26     system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
27     or die("Ipsec Error - A problem occurred with sysctl: $?");
28     -
29     - # I don;t beleive these are required
30     - # system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
31     - # or die("Ipsec Error - A problem occurred with sysctl: $?");
32     - # system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
33     - # or die("Ipsec Error - A problem occurred with sysctl: $?");
34     - # system("/sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects=0") == 0
35     - # or die("Ipsec Error - A problem occurred with sysctl: $?");
36     - # system("/sbin/sysctl -w net.ipv4.conf.eth1.accept_redirects=0") == 0
37     - # or die("Ipsec Error - A problem occurred with sysctl: $?");
38     +
39     + system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
40     + or die("Ipsec Error - A problem occurred with sysctl: $?");
41     + system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
42     + or die("Ipsec Error - A problem occurred with sysctl: $?");
43    
44     system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0
45     or die("Ipsec Error - A problem occurred with sysctl: $?");
46     diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
47     --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-02-17 14:19:42.000000000 +0100
48     +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-22 18:26:42.624000613 +0100
49     @@ -30,7 +30,7 @@
50     $OUT .= " protostack=netkey\n";
51     $OUT .= " #plutodebug=none\n";
52     $OUT .= " #klipsdebug=none\n";
53     - $OUT .= " plutostderrlog=/var/log/pluto.log\n";
54     + $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n";
55     $OUT .= " dumpdir=/var/run/pluto/\n";
56     $OUT .= " nat_traversal=yes\n";
57    
58     @@ -66,7 +66,7 @@
59     chop($virtual_private);
60     $OUT .= "$virtual_private\n";
61     $OUT .= "\n";
62     - $OUT .= "include /etc/ipsec.d/*.conf\n";
63     + $OUT .= "include /etc/ipsec.d/ipsec.conf\n";
64    
65     # End else
66     }
67     diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto
68     --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2016-02-17 14:19:42.000000000 +0100
69     +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2016-03-22 18:26:42.623000615 +0100
70     @@ -1,4 +1,4 @@
71     -/var/log/pluto.log \{
72     +/var/log/pluto/pluto.log \{
73     missingok
74     notifempty
75     compress
76     diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
77     --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:26:25.223000613 +0100
78     +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:26:42.624000613 +0100
79     @@ -1,9 +1,16 @@
80     +# Required PostRouting for VPN
81     +
82     {
83     - my $ipsec_access = $ipsec{access} || '';
84     + my $ipsec_status = $ipsec{status} || '';
85     +
86     +# print "Ipsec Information - 40AllowIpsec - $ipsec_status\n";
87    
88     - if ( $ipsec_access eq 'public' ) {
89     + if ( $ipsec_status eq 'enabled' ) {
90     $OUT .= " # Do not NAT VPN traffic\n";
91     - $OUT .=
92     -" /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
93     + $OUT .= " /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
94     + }
95     +
96     + else {
97     + $OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n";
98     }
99     }
100     diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
101     --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2016-03-22 18:26:25.223000613 +0100
102     +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2016-03-22 18:26:42.623000615 +0100
103     @@ -1,14 +1,18 @@
104     # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
105    
106     {
107     -my $ipsec_access = $ipsec{access} || '';
108     + my $ipsec_status = $ipsec{status} || '';
109    
110     -if ($ipsec_access eq 'public') {
111     +# print "Ipsec Information - 56AllowESP - $ipsec_status\n";
112    
113     - $OUT .= " /sbin/iptables --new-chain esp-in\n";
114     - $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
115     - $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
116     - $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
117     - $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
118     - }
119     + if ( $ipsec_status eq 'enabled' ) {
120     + $OUT .= " /sbin/iptables --new-chain esp-in\n";
121     + $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
122     + $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
123     + $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
124     + $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
125     + }
126     + else {
127     + $OUT .= " # 56AllowESP disabled\n";
128     + }
129     }
130     diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
131     --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2016-03-22 18:26:25.241000615 +0100
132     +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2016-03-22 18:26:42.623000615 +0100
133     @@ -1,12 +1,16 @@
134     # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
135     +
136     {
137     - my $ipsec_access = $ipsec{access} || '';
138     - my $ipsec_status = $ipsec{status};
139     - if ( $ipsec_access eq 'public' ) {
140     -
141     - my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
142     + my $ipsec_status = $ipsec{status} || '';
143     +
144     +# print "Ipsec Information - 90AdjustESP - $ipsec_status\n";
145    
146     + if ( $ipsec_status eq 'enabled' ) {
147     + my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
148     $OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
149     $OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n";
150     }
151     + else {
152     + $OUT .= " # 90adjustESP disabled\n";
153     + }
154     }
155     diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications
156     --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 1970-01-01 01:00:00.000000000 +0100
157     +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 2016-03-22 18:26:42.624000613 +0100
158     @@ -0,0 +1,29 @@
159     +{
160     +# Set up sysctl.conf for ipsec
161     +# need a check on release version as v8 needs
162     +# net.core.xfrm_larval_drop = 1
163     +# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9'
164     +
165     +use strict;
166     +use warnings;
167     +use esmith::ConfigDB;
168     +
169     +my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
170     +
171     + if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) {
172     +
173     + $OUT .= <<CONFIG_END
174     +# Ipsec overrides
175     +net.ipv4.conf.all.rp_filter = 0
176     +net.ipv4.conf.all.send_redirects = 0
177     +net.ipv4.conf.default.accept_redirects = 0
178     +net.ipv4.conf.default.rp_filter = 0
179     +net.ipv4.conf.default.send_redirects = 0
180     +net.ipv4.conf.dummy0.rp_filter = 0
181     +net.ipv4.conf.eth0.rp_filter = 0
182     +net.ipv4.conf.eth1.rp_filter = 0
183     +net.ipv4.conf.lo.rp_filter = 0
184     +
185     +CONFIG_END
186     + }
187     +}

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed